<!DOCTYPE html>
<html class='v2' dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'>
<head>
<link href='https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.css' rel='stylesheet' type='text/css'/>
<meta content='IE=EmulateIE7' http-equiv='X-UA-Compatible'/>
<meta content='width=1100' name='viewport'/>
<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>
<meta content='blogger' name='generator'/>
<link href='https://blog.malwaremustdie.org/favicon.ico' rel='icon' type='image/x-icon'/>
<link href='https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html' rel='canonical'/>
<link rel="alternate" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://blog.malwaremustdie.org/feeds/posts/default" />
<link rel="alternate" type="application/rss+xml" title="Malware Must Die! - RSS" href="https://blog.malwaremustdie.org/feeds/posts/default?alt=rss" />
<link rel="service.post" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://www.blogger.com/feeds/8268358095554400245/posts/default" />

<link rel="alternate" type="application/atom+xml" title="Malware Must Die! - Atom" href="https://blog.malwaremustdie.org/feeds/8926320833546683754/comments/default" />
<!--[if IE]><script type="text/javascript" src="https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js"></script>
<![endif]-->
<link href='https://lh3.googleusercontent.com/l5qLHC02vbwPebZeO5-NS8TFOTzgKnNY_ToqOI31ZmAPA83Axy92b4rTvHJGXhgcU8EMKtgYjnvXXXdE1XJeF-CuIW57dgD-zwN4MdXdI3-3k2-9SjYymNfU8y6QtzFMQMfm2HI_3iA=w580-h695-no' rel='image_src'/>
<meta content='Mirai FBOT re-emerging botnet Linux malware, aims Linux basis IoT devices for DDoS attacks and malicious traffic distribution' name='description'/>
<meta content='https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html' property='og:url'/>
<meta content='MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat' property='og:title'/>
<meta content='Mirai FBOT re-emerging botnet Linux malware, aims Linux basis IoT devices for DDoS attacks and malicious traffic distribution' property='og:description'/>
<meta content='https://lh3.googleusercontent.com/l5qLHC02vbwPebZeO5-NS8TFOTzgKnNY_ToqOI31ZmAPA83Axy92b4rTvHJGXhgcU8EMKtgYjnvXXXdE1XJeF-CuIW57dgD-zwN4MdXdI3-3k2-9SjYymNfU8y6QtzFMQMfm2HI_3iA=w1200-h630-p-k-no-nu' property='og:image'/>
<!--[if IE]> <script> (function() { var html5 = ("abbr,article,aside,audio,canvas,datalist,details," + "figure,footer,header,hgroup,mark,menu,meter,nav,output," + "progress,section,time,video").split(','); for (var i = 0; i < html5.length; i++) { document.createElement(html5[i]); } try { document.execCommand('BackgroundImageCache', false, true); } catch(e) {} })(); </script> <![endif]-->
<title>Malware Must Die!: MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat</title>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async='async' src='https://www.googletagmanager.com/gtag/js?id=UA-180537376-1'></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-180537376-1');
</script>
<style id='page-skin-1' type='text/css'><!--
/*
-----------------------------------------------
Blogger Template Style
Name:     Awesome Inc.
Designer: Tina Chen
----------------------------------------------- */
/* Variable definitions
====================
<Variable name="keycolor" description="Main Color" type="color" default="#ffffff"/>
<Group description="Page" selector="body">
<Variable name="body.font" description="Font" type="font"
default="normal normal 13px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="body.background.color" description="Background Color" type="color" default="#000000"/>
<Variable name="body.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Links" selector=".main-inner">
<Variable name="link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Blog Title" selector=".header h1">
<Variable name="header.font" description="Title Font" type="font"
default="normal bold 40px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="header.text.color" description="Title Color" type="color" default="#ffffff" />
<Variable name="header.background.color" description="Header Background" type="color" default="transparent" />
</Group>
<Group description="Blog Description" selector=".header .description">
<Variable name="description.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="description.text.color" description="Text Color" type="color"
default="#ffffff" />
</Group>
<Group description="Tabs Text" selector=".tabs-inner .widget li a">
<Variable name="tabs.font" description="Font" type="font"
default="normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="tabs.text.color" description="Text Color" type="color" default="#ffffff"/>
<Variable name="tabs.selected.text.color" description="Selected Color" type="color" default="#ffffff"/>
</Group>
<Group description="Tabs Background" selector=".tabs-outer .PageList">
<Variable name="tabs.background.color" description="Background Color" type="color" default="#141414"/>
<Variable name="tabs.selected.background.color" description="Selected Color" type="color" default="#444444"/>
<Variable name="tabs.border.color" description="Border Color" type="color" default="#222222"/>
</Group>
<Group description="Date Header" selector=".main-inner .widget h2.date-header, .main-inner .widget h2.date-header span">
<Variable name="date.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="date.text.color" description="Text Color" type="color" default="#666666"/>
<Variable name="date.border.color" description="Border Color" type="color" default="#222222"/>
</Group>
<Group description="Post Title" selector="h3.post-title, h4, h3.post-title a">
<Variable name="post.title.font" description="Font" type="font"
default="normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="post.title.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Post Background" selector=".post">
<Variable name="post.background.color" description="Background Color" type="color" default="#141414" />
<Variable name="post.border.color" description="Border Color" type="color" default="#222222" />
<Variable name="post.border.bevel.color" description="Bevel Color" type="color" default="#222222"/>
</Group>
<Group description="Gadget Title" selector="h2">
<Variable name="widget.title.font" description="Font" type="font"
default="normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="widget.title.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Gadget Text" selector=".sidebar .widget">
<Variable name="widget.font" description="Font" type="font"
default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/>
<Variable name="widget.text.color" description="Text Color" type="color" default="#ffffff"/>
<Variable name="widget.alternate.text.color" description="Alternate Color" type="color" default="#666666"/>
</Group>
<Group description="Gadget Links" selector=".sidebar .widget">
<Variable name="widget.link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="widget.link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="widget.link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Gadget Background" selector=".sidebar .widget">
<Variable name="widget.background.color" description="Background Color" type="color" default="#141414"/>
<Variable name="widget.border.color" description="Border Color" type="color" default="#222222"/>
<Variable name="widget.border.bevel.color" description="Bevel Color" type="color" default="#000000"/>
</Group>
<Group description="Sidebar Background" selector=".column-left-inner .column-right-inner">
<Variable name="widget.outer.background.color" description="Background Color" type="color" default="transparent" />
</Group>
<Group description="Images" selector=".main-inner">
<Variable name="image.background.color" description="Background Color" type="color" default="transparent"/>
<Variable name="image.border.color" description="Border Color" type="color" default="transparent"/>
</Group>
<Group description="Feed" selector=".blog-feeds">
<Variable name="feed.text.color" description="Text Color" type="color" default="#ffffff"/>
</Group>
<Group description="Feed Links" selector=".blog-feeds">
<Variable name="feed.link.color" description="Link Color" type="color" default="#888888"/>
<Variable name="feed.link.visited.color" description="Visited Color" type="color" default="#444444"/>
<Variable name="feed.link.hover.color" description="Hover Color" type="color" default="#cccccc"/>
</Group>
<Group description="Pager" selector=".blog-pager">
<Variable name="pager.background.color" description="Background Color" type="color" default="#141414" />
</Group>
<Group description="Footer" selector=".footer-outer">
<Variable name="footer.background.color" description="Background Color" type="color" default="#141414" />
<Variable name="footer.text.color" description="Text Color" type="color" default="#ffffff" />
</Group>
<Variable name="title.shadow.spread" description="Title Shadow" type="length" default="-1px" min="-1px" max="100px"/>
<Variable name="body.background" description="Body Background" type="background"
color="#000000"
default="$(color) none repeat scroll top left"/>
<Variable name="body.background.gradient.cap" description="Body Gradient Cap" type="url"
default="none"/>
<Variable name="body.background.size" description="Body Background Size" type="string" default="auto"/>
<Variable name="tabs.background.gradient" description="Tabs Background Gradient" type="url"
default="none"/>
<Variable name="header.background.gradient" description="Header Background Gradient" type="url" default="none" />
<Variable name="header.padding.top" description="Header Top Padding" type="length" default="22px" min="0" max="100px"/>
<Variable name="header.margin.top" description="Header Top Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="header.margin.bottom" description="Header Bottom Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="widget.padding.top" description="Widget Padding Top" type="length" default="8px" min="0" max="20px"/>
<Variable name="widget.padding.side" description="Widget Padding Side" type="length" default="15px" min="0" max="100px"/>
<Variable name="widget.outer.margin.top" description="Widget Top Margin" type="length" default="0" min="0" max="100px"/>
<Variable name="widget.outer.background.gradient" description="Gradient" type="url" default="none" />
<Variable name="widget.border.radius" description="Gadget Border Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="outer.shadow.spread" description="Outer Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="date.header.border.radius.top" description="Date Header Border Radius Top" type="length" default="0" min="0" max="100px"/>
<Variable name="date.header.position" description="Date Header Position" type="length" default="15px" min="0" max="100px"/>
<Variable name="date.space" description="Date Space" type="length" default="30px" min="0" max="100px"/>
<Variable name="date.position" description="Date Float" type="string" default="static" />
<Variable name="date.padding.bottom" description="Date Padding Bottom" type="length" default="0" min="0" max="100px"/>
<Variable name="date.border.size" description="Date Border Size" type="length" default="0" min="0" max="10px"/>
<Variable name="date.background" description="Date Background" type="background" color="transparent"
default="$(color) none no-repeat scroll top left" />
<Variable name="date.first.border.radius.top" description="Date First top radius" type="length" default="0" min="0" max="100px"/>
<Variable name="date.last.space.bottom" description="Date Last Space Bottom" type="length"
default="20px" min="0" max="100px"/>
<Variable name="date.last.border.radius.bottom" description="Date Last bottom radius" type="length" default="0" min="0" max="100px"/>
<Variable name="post.first.padding.top" description="First Post Padding Top" type="length" default="0" min="0" max="100px"/>
<Variable name="image.shadow.spread" description="Image Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="image.border.radius" description="Image Border Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="separator.outdent" description="Separator Outdent" type="length" default="15px" min="0" max="100px"/>
<Variable name="title.separator.border.size" description="Widget Title Border Size" type="length" default="1px" min="0" max="10px"/>
<Variable name="list.separator.border.size" description="List Separator Border Size" type="length" default="1px" min="0" max="10px"/>
<Variable name="shadow.spread" description="Shadow Size" type="length" default="0" min="0" max="100px"/>
<Variable name="startSide" description="Side where text starts in blog language" type="automatic" default="left"/>
<Variable name="endSide" description="Side where text ends in blog language" type="automatic" default="right"/>
<Variable name="date.side" description="Side where date header is placed" type="string" default="right"/>
<Variable name="pager.border.radius.top" description="Pager Border Top Radius" type="length" default="0" min="0" max="100px"/>
<Variable name="pager.space.top" description="Pager Top Space" type="length" default="1em" min="0" max="20em"/>
<Variable name="footer.background.gradient" description="Background Gradient" type="url" default="none" />
<Variable name="mobile.background.size" description="Mobile Background Size" type="string"
default="auto"/>
<Variable name="mobile.background.overlay" description="Mobile Background Overlay" type="string"
default="transparent none repeat scroll top left"/>
<Variable name="mobile.button.color" description="Mobile Button Color" type="color" default="#ffffff" />
*/
/* Content
----------------------------------------------- */
body {
font: normal normal 13px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
background: #000000 none no-repeat scroll center center;
}
html body .content-outer {
min-width: 0;
max-width: 100%;
width: 100%;
}
a:link {
text-decoration: none;
color: #888888;
}
a:visited {
text-decoration: none;
color: #444444;
}
a:hover {
text-decoration: underline;
color: #cccccc;
}
.body-fauxcolumn-outer .cap-top {
position: absolute;
z-index: 1;
height: 276px;
width: 100%;
background: transparent none repeat-x scroll top left;
_background-image: none;
}
/* Columns
----------------------------------------------- */
.content-inner {
padding: 0;
}
.header-inner .section {
margin: 0 16px;
}
.tabs-inner .section {
margin: 0 16px;
}
.main-inner {
padding-top: 30px;
}
.main-inner .column-center-inner,
.main-inner .column-left-inner,
.main-inner .column-right-inner {
padding: 0 5px;
}
*+html body .main-inner .column-center-inner {
margin-top: -30px;
}
#layout .main-inner .column-center-inner {
margin-top: 0;
}
/* Header
----------------------------------------------- */
.header-outer {
margin: 0 0 0 0;
background: transparent none repeat scroll 0 0;
}
.Header h1 {
font: normal bold 40px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
text-shadow: 0 0 -1px #000000;
}
.Header h1 a {
color: #ffffff;
}
.Header .description {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
.header-inner .Header .titlewrapper,
.header-inner .Header .descriptionwrapper {
padding-left: 0;
padding-right: 0;
margin-bottom: 0;
}
.header-inner .Header .titlewrapper {
padding-top: 22px;
}
/* Tabs
----------------------------------------------- */
.tabs-outer {
overflow: hidden;
position: relative;
background: #141414 none repeat scroll 0 0;
}
#layout .tabs-outer {
overflow: visible;
}
.tabs-cap-top, .tabs-cap-bottom {
position: absolute;
width: 100%;
border-top: 1px solid #222222;
}
.tabs-cap-bottom {
bottom: 0;
}
.tabs-inner .widget li a {
display: inline-block;
margin: 0;
padding: .6em 1.5em;
font: normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
border-top: 1px solid #222222;
border-bottom: 1px solid #222222;
border-left: 1px solid #222222;
height: 16px;
line-height: 16px;
}
.tabs-inner .widget li:last-child a {
border-right: 1px solid #222222;
}
.tabs-inner .widget li.selected a, .tabs-inner .widget li a:hover {
background: #444444 none repeat-x scroll 0 -100px;
color: #ffffff;
}
/* Headings
----------------------------------------------- */
h2 {
font: normal bold 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
/* Widgets
----------------------------------------------- */
.main-inner .section {
margin: 0 27px;
padding: 0;
}
.main-inner .column-left-outer,
.main-inner .column-right-outer {
margin-top: 0;
}
#layout .main-inner .column-left-outer,
#layout .main-inner .column-right-outer {
margin-top: 0;
}
.main-inner .column-left-inner,
.main-inner .column-right-inner {
background: transparent none repeat 0 0;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
#layout .main-inner .column-left-inner,
#layout .main-inner .column-right-inner {
margin-top: 0;
}
.sidebar .widget {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
.sidebar .widget a:link {
color: #888888;
}
.sidebar .widget a:visited {
color: #444444;
}
.sidebar .widget a:hover {
color: #cccccc;
}
.sidebar .widget h2 {
text-shadow: 0 0 -1px #000000;
}
.main-inner .widget {
background-color: #141414;
border: 1px solid #222222;
padding: 0 15px 15px;
margin: 20px -16px;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
.main-inner .widget h2 {
margin: 0 -15px;
padding: .6em 15px .5em;
border-bottom: 1px solid #000000;
}
.footer-inner .widget h2 {
padding: 0 0 .4em;
border-bottom: 1px solid #000000;
}
.main-inner .widget h2 + div, .footer-inner .widget h2 + div {
border-top: 1px solid #222222;
padding-top: 8px;
}
.main-inner .widget .widget-content {
margin: 0 -15px;
padding: 7px 15px 0;
}
.main-inner .widget ul, .main-inner .widget #ArchiveList ul.flat {
margin: -8px -15px 0;
padding: 0;
list-style: none;
}
.main-inner .widget #ArchiveList {
margin: -8px 0 0;
}
.main-inner .widget ul li, .main-inner .widget #ArchiveList ul.flat li {
padding: .5em 15px;
text-indent: 0;
color: #666666;
border-top: 1px solid #222222;
border-bottom: 1px solid #000000;
}
.main-inner .widget #ArchiveList ul li {
padding-top: .25em;
padding-bottom: .25em;
}
.main-inner .widget ul li:first-child, .main-inner .widget #ArchiveList ul.flat li:first-child {
border-top: none;
}
.main-inner .widget ul li:last-child, .main-inner .widget #ArchiveList ul.flat li:last-child {
border-bottom: none;
}
.post-body {
position: relative;
}
.main-inner .widget .post-body ul {
padding: 0 2.5em;
margin: .5em 0;
list-style: disc;
}
.main-inner .widget .post-body ul li {
padding: 0.25em 0;
margin-bottom: .25em;
color: #ffffff;
border: none;
}
.footer-inner .widget ul {
padding: 0;
list-style: none;
}
.widget .zippy {
color: #666666;
}
/* Posts
----------------------------------------------- */
body .main-inner .Blog {
padding: 0;
margin-bottom: 1em;
background-color: transparent;
border: none;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, 0);
box-shadow: 0 0 0 rgba(0, 0, 0, 0);
}
.main-inner .section:last-child .Blog:last-child {
padding: 0;
margin-bottom: 1em;
}
.main-inner .widget h2.date-header {
margin: 0 -15px 1px;
padding: 0 0 0 0;
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #666666;
background: transparent none no-repeat scroll top left;
border-top: 0 solid #222222;
border-bottom: 1px solid #000000;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
position: static;
bottom: 100%;
right: 15px;
text-shadow: 0 0 -1px #000000;
}
.main-inner .widget h2.date-header span {
font: normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
display: block;
padding: .5em 15px;
border-left: 0 solid #222222;
border-right: 0 solid #222222;
}
.date-outer {
position: relative;
margin: 30px 0 20px;
padding: 0 15px;
background-color: #141414;
border: 1px solid #222222;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
}
.date-outer:first-child {
margin-top: 0;
}
.date-outer:last-child {
margin-bottom: 20px;
-moz-border-radius-bottomleft: 0;
-moz-border-radius-bottomright: 0;
-webkit-border-bottom-left-radius: 0;
-webkit-border-bottom-right-radius: 0;
-goog-ms-border-bottom-left-radius: 0;
-goog-ms-border-bottom-right-radius: 0;
border-bottom-left-radius: 0;
border-bottom-right-radius: 0;
}
.date-posts {
margin: 0 -15px;
padding: 0 15px;
clear: both;
}
.post-outer, .inline-ad {
border-top: 1px solid #222222;
margin: 0 -15px;
padding: 15px 15px;
}
.post-outer {
padding-bottom: 10px;
}
.post-outer:first-child {
padding-top: 0;
border-top: none;
}
.post-outer:last-child, .inline-ad:last-child {
border-bottom: none;
}
.post-body {
position: relative;
}
.post-body img {
padding: 8px;
background: #222222;
border: 1px solid transparent;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
border-radius: 0;
}
h3.post-title, h4 {
font: normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
h3.post-title a {
font: normal bold 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #ffffff;
}
h3.post-title a:hover {
color: #cccccc;
text-decoration: underline;
}
.post-header {
margin: 0 0 1em;
}
.post-body {
line-height: 1.4;
}
.post-outer h2 {
color: #ffffff;
}
.post-footer {
margin: 1.5em 0 0;
}
#blog-pager {
padding: 15px;
font-size: 120%;
background-color: #141414;
border: 1px solid #222222;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-moz-border-radius: 0;
-webkit-border-radius: 0;
-goog-ms-border-radius: 0;
border-radius: 0;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
-goog-ms-border-top-left-radius: 0;
-goog-ms-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius-topright: 0;
margin-top: 1em;
}
.blog-feeds, .post-feeds {
margin: 1em 0;
text-align: center;
color: #ffffff;
}
.blog-feeds a, .post-feeds a {
color: #888888;
}
.blog-feeds a:visited, .post-feeds a:visited {
color: #444444;
}
.blog-feeds a:hover, .post-feeds a:hover {
color: #cccccc;
}
.post-outer .comments {
margin-top: 2em;
}
/* Comments
----------------------------------------------- */
.comments .comments-content .icon.blog-author {
background-repeat: no-repeat;
background-image: url();
}
.comments .comments-content .loadmore a {
border-top: 1px solid #222222;
border-bottom: 1px solid #222222;
}
.comments .continue {
border-top: 2px solid #222222;
}
/* Footer
----------------------------------------------- */
.footer-outer {
margin: -0 0 -1px;
padding: 0 0 0;
color: #ffffff;
overflow: hidden;
}
.footer-fauxborder-left {
border-top: 1px solid #222222;
background: #141414 none repeat scroll 0 0;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
-goog-ms-box-shadow: 0 0 0 rgba(0, 0, 0, .2);
box-shadow: 0 0 0 rgba(0, 0, 0, .2);
margin: 0 -0;
}
/* Mobile
----------------------------------------------- */
body.mobile {
background-size: auto;
}
.mobile .body-fauxcolumn-outer {
background: transparent none repeat scroll top left;
}
*+html body.mobile .main-inner .column-center-inner {
margin-top: 0;
}
.mobile .main-inner .widget {
padding: 0 0 15px;
}
.mobile .main-inner .widget h2 + div,
.mobile .footer-inner .widget h2 + div {
border-top: none;
padding-top: 0;
}
.mobile .footer-inner .widget h2 {
padding: 0.5em 0;
border-bottom: none;
}
.mobile .main-inner .widget .widget-content {
margin: 0;
padding: 7px 0 0;
}
.mobile .main-inner .widget ul,
.mobile .main-inner .widget #ArchiveList ul.flat {
margin: 0 -15px 0;
}
.mobile .main-inner .widget h2.date-header {
right: 0;
}
.mobile .date-header span {
padding: 0.4em 0;
}
.mobile .date-outer:first-child {
margin-bottom: 0;
border: 1px solid #222222;
-moz-border-radius-topleft: 0;
-moz-border-radius-topright: 0;
-webkit-border-top-left-radius: 0;
-webkit-border-top-right-radius: 0;
-goog-ms-border-top-left-radius: 0;
-goog-ms-border-top-right-radius: 0;
border-top-left-radius: 0;
border-top-right-radius: 0;
}
.mobile .date-outer {
border-color: #222222;
border-width: 0 1px 1px;
}
.mobile .date-outer:last-child {
margin-bottom: 0;
}
.mobile .main-inner {
padding: 0;
}
.mobile .header-inner .section {
margin: 0;
}
.mobile .post-outer, .mobile .inline-ad {
padding: 5px 0;
}
.mobile .tabs-inner .section {
margin: 0 10px;
}
.mobile .main-inner .widget h2 {
margin: 0;
padding: 0;
}
.mobile .main-inner .widget h2.date-header span {
padding: 0;
}
.mobile .main-inner .widget .widget-content {
margin: 0;
padding: 7px 0 0;
}
.mobile #blog-pager {
border: 1px solid transparent;
background: #141414 none repeat scroll 0 0;
}
.mobile .main-inner .column-left-inner,
.mobile .main-inner .column-right-inner {
background: transparent none repeat 0 0;
-moz-box-shadow: none;
-webkit-box-shadow: none;
-goog-ms-box-shadow: none;
box-shadow: none;
}
.mobile .date-posts {
margin: 0;
padding: 0;
}
.mobile .footer-fauxborder-left {
margin: 0;
border-top: inherit;
}
.mobile .main-inner .section:last-child .Blog:last-child {
margin-bottom: 0;
}
.mobile-index-contents {
color: #ffffff;
}
.mobile .mobile-link-button {
background: #888888 none repeat scroll 0 0;
}
.mobile-link-button a:link, .mobile-link-button a:visited {
color: #ffffff;
}
.mobile .tabs-inner .PageList .widget-content {
background: transparent;
border-top: 1px solid;
border-color: #222222;
color: #ffffff;
}
.mobile .tabs-inner .PageList .widget-content .pagelist-arrow {
border-left: 1px solid #222222;
}

--></style>
<style id='template-skin-1' type='text/css'><!--
body {
min-width: 960px;
}
.content-outer, .content-fauxcolumn-outer, .region-inner {
min-width: 960px;
max-width: 960px;
_width: 960px;
}
.main-inner .columns {
padding-left: 0px;
padding-right: 310px;
}
.main-inner .fauxcolumn-center-outer {
left: 0px;
right: 310px;
/* IE6 does not respect left and right together */
_width: expression(this.parentNode.offsetWidth -
parseInt("0px") -
parseInt("310px") + 'px');
}
.main-inner .fauxcolumn-left-outer {
width: 0px;
}
.main-inner .fauxcolumn-right-outer {
width: 310px;
}
.main-inner .column-left-outer {
width: 0px;
right: 100%;
margin-left: -0px;
}
.main-inner .column-right-outer {
width: 310px;
margin-right: -310px;
}
#layout {
min-width: 0;
}
#layout .content-outer {
min-width: 0;
width: 800px;
}
#layout .region-inner {
min-width: 0;
width: auto;
}
--></style>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async='async' src='https://www.googletagmanager.com/gtag/js?id=G-GGYD63MC07'></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'G-GGYD63MC07');
</script>
<link href='https://unixfreaxjp.github.io/styles/shCore.css' rel='stylesheet' type='text/css'/>
<link href='https://unixfreaxjp.github.io/styles/shThemeRDark.css' rel='stylesheet' type='text/css'/>
<script src='https://unixfreaxjp.github.io/scripts/shCore.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushCpp.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushCss.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushJava.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushJScript.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPhp.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPython.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushRuby.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushSql.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushVb.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushXml.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPerl.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushPlain.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushBash.js' type='text/javascript'></script>
<script src='https://unixfreaxjp.github.io/scripts/shBrushAsm.js' type='text/javascript'></script>
<script language='javascript'> 
// SyntaxHighlighter.config.bloggerMode = true;
SyntaxHighlighter.all();
</script>
<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8268358095554400245&amp;zx=6d699317-e04a-4073-a8ed-9df5a54c7ce9' media='none' onload='if(media!=&#39;all&#39;)media=&#39;all&#39;' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8268358095554400245&amp;zx=6d699317-e04a-4073-a8ed-9df5a54c7ce9' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script type="text/javascript" language="javascript">
  // Supply ads personalization default for EEA readers
  // See https://www.blogger.com/go/adspersonalization
  adsbygoogle = window.adsbygoogle || [];
  if (typeof adsbygoogle.requestNonPersonalizedAds === 'undefined') {
    adsbygoogle.requestNonPersonalizedAds = 1;
  }
</script>


</head>
<body class='loading'>
<div class='navbar section' id='navbar'><div class='widget Navbar' data-version='1' id='Navbar1'><script type="text/javascript">
    function setAttributeOnload(object, attribute, val) {
      if(window.addEventListener) {
        window.addEventListener('load',
          function(){ object[attribute] = val; }, false);
      } else {
        window.attachEvent('onload', function(){ object[attribute] = val; });
      }
    }
  </script>
<div id="navbar-iframe-container"></div>
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<script type="text/javascript">
      gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() {
        if (gapi.iframes && gapi.iframes.getContext) {
          gapi.iframes.getContext().openChild({
              url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d8268358095554400245\x26blogName\x3dMalware+Must+Die!\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dLIGHT\x26layoutType\x3dLAYOUTS\x26searchRoot\x3dhttps://blog.malwaremustdie.org/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttps://blog.malwaremustdie.org/\x26targetPostID\x3d8926320833546683754\x26blogPostOrPageUrl\x3dhttps://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html\x26vt\x3d-3948139151205513296',
              where: document.getElementById("navbar-iframe-container"),
              id: "navbar-iframe"
          });
        }
      });
    </script><script type="text/javascript">
(function() {
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = '//pagead2.googlesyndication.com/pagead/js/google_top_exp.js';
var head = document.getElementsByTagName('head')[0];
if (head) {
head.appendChild(script);
}})();
</script>
</div></div>
<div class='body-fauxcolumns'>
<div class='fauxcolumn-outer body-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content'>
<div class='content-fauxcolumns'>
<div class='fauxcolumn-outer content-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content-outer'>
<div class='content-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left content-fauxborder-left'>
<div class='fauxborder-right content-fauxborder-right'></div>
<div class='content-inner'>
<header>
<div class='header-outer'>
<div class='header-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left header-fauxborder-left'>
<div class='fauxborder-right header-fauxborder-right'></div>
<div class='region-inner header-inner'>
<div class='header section' id='header'><div class='widget Header' data-version='1' id='Header1'>
<div id='header-inner'>
<a href='https://blog.malwaremustdie.org/' style='display: block'>
<img alt='Malware Must Die!' height='77px; ' id='Header1_headerimg' src='https://2.bp.blogspot.com/-rrlkZ50FDJA/UERTcxL8i3I/AAAAAAAAFY8/F5vmhcrbLs4/s1600/MMD.JPG' style='display: block' width='395px; '/>
</a>
<div class='descriptionwrapper'>
<p class='description'><span>The MalwareMustDie Blog (blog.malwaremustdie.org)</span></p>
</div>
</div>
</div></div>
</div>
</div>
<div class='header-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</header>
<div class='tabs-outer'>
<div class='tabs-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left tabs-fauxborder-left'>
<div class='fauxborder-right tabs-fauxborder-right'></div>
<div class='region-inner tabs-inner'>
<div class='tabs no-items section' id='crosscol'></div>
<div class='tabs no-items section' id='crosscol-overflow'></div>
</div>
</div>
<div class='tabs-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='main-outer'>
<div class='main-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left main-fauxborder-left'>
<div class='fauxborder-right main-fauxborder-right'></div>
<div class='region-inner main-inner'>
<div class='columns fauxcolumns'>
<div class='fauxcolumn-outer fauxcolumn-center-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-left-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-right-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<!-- corrects IE6 width calculation -->
<div class='columns-inner'>
<div class='column-center-outer'>
<div class='column-center-inner'>
<div class='main section' id='main'><div class='widget Blog' data-version='1' id='Blog1'>
<div class='blog-posts hfeed'>

          <div class="date-outer">
        
<h2 class='date-header'><span>Monday, February 24, 2020</span></h2>

          <div class="date-posts">
        
<div class='post-outer'>
<div class='post hentry' itemscope='itemscope' itemtype='https://schema.org/BlogPosting'>
<a name='8926320833546683754'></a>
<h3 class='post-title entry-title' itemprop='name'>
MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat
</h3>
<div class='post-header'>
<div class='post-header-line-1'></div>
</div>
<div class='post-body entry-content' id='post-body-8926320833546683754' itemprop='articleBody'>
Chapters: [<a href="#telnetloader">TelnetLoader</a>] [<a href="#echoloader">EchoLoader</a>] [<a href="#infectionspeed">Propagation</a>] [<a href="#newactor">NewActor</a>] [<a href="#epilogue">Epilogue</a>]
<p>
<h2>Prologue</h2>

<p>A month ago I wrote about IoT malware for Linux operating system, a Mirai botnet's client variant dubbed as FBOT. The writing [<a href="https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html">link</a>] was about reverse engineering <b>Linux ELF ARM 32bit</b> to dissect the new encryption that has been used by their January's bot binaries,

<p>The threat had been on vacuum state for almost one month after my post, until now it comes back again, strongly, with several <i>technical updates</i> in their binary and infection scheme, a re-emerging botnet that I detected its first come-back activities starting from on <b>February 9, 2020</b>. 

<p>This post is writing several significant updates of new Mirai FBOT variant with strong spreading propagation and contains important details that have been observed. The obvious Mirai variant capabilities and some leak codes' adapted known techniques (mostly from other Mirai variants) will not be covered.

<p>This is snippet log of FBOT infection we recorded, as a re-emerging "PoC" of the threat:
<br>
<a href=https://lh3.googleusercontent.com/l5qLHC02vbwPebZeO5-NS8TFOTzgKnNY_ToqOI31ZmAPA83Axy92b4rTvHJGXhgcU8EMKtgYjnvXXXdE1XJeF-CuIW57dgD-zwN4MdXdI3-3k2-9SjYymNfU8y6QtzFMQMfm2HI_3iA=w1607-h695-no><img src="https://lh3.googleusercontent.com/l5qLHC02vbwPebZeO5-NS8TFOTzgKnNY_ToqOI31ZmAPA83Axy92b4rTvHJGXhgcU8EMKtgYjnvXXXdE1XJeF-CuIW57dgD-zwN4MdXdI3-3k2-9SjYymNfU8y6QtzFMQMfm2HI_3iA=w580-h695-no"></a>

<a name=telnetloader>
<p>
<h2>The changes in infection activity</h2></a>

<p>Infection method of FBOT has been changed to be as per shown below, taken from log of the recent FBOT infection session:

<br>
<a href=https://lh3.googleusercontent.com/PcMhMj8Cf2Ovib4HnfZMNkkodbrhi6QzWT-A5JP-wN_S-Q_wll76gjwKG548qoKNgjMmszory65csU1_usd1GgsRl3_i6X9KFmCVHwsoIhvdr8v5dK9Um5iUAVprK_S9B9Q4xLrh95E=w1400-h891-no><img src="https://lh3.googleusercontent.com/PcMhMj8Cf2Ovib4HnfZMNkkodbrhi6QzWT-A5JP-wN_S-Q_wll76gjwKG548qoKNgjMmszory65csU1_usd1GgsRl3_i6X9KFmCVHwsoIhvdr8v5dK9Um5iUAVprK_S9B9Q4xLrh95E=w580-h891-no"></a>

<p>As you can see, there are <i>"hexstrings"</i> blobs pushed into the compromised IoT on a <b>telnet CLI connection</b>. That <i>hexstrings </i>is actually a small ELF binary adjusted to the architecture of the infected device (FBOT has a rich binary factory to infect various Linux IOT supported CPU), to be saved as a file named <b>"retrieve"</b>. This method is significantly new for Mirai FBOT infection, and other infection methods (in their scanner funcion) is more or less similar to their older ones. Mirai FBOT seems not to drop the legacy infection methods they use too, and the adversary is adding <i>"hexstring push"</i> way now to increase the bot client's infection probability. I will cover some more changes in the next section.

<p>
<h2>The binary analysis</h2>

<p>In this part we will analyze two binaries of the recent FBOT. One is the pushed <i>hextstrings </i>one with the ELF format is in <b>ARM v5 32bit little-endian</b>. And for the other ELF, in this post I am picking up the Intel 64bit binary, since my recent blogs and image-posts are all covering enough ARM or MIPS.

<p>
<i><h2>1. ARM 32bit ELF downloader (the "telnet" loader) in pipes</h2></i>

<p>The <i>pushed-hexstrings</i> is saved as file called "retrieve" which is actually a <b>downloader </b>for the Mirai FBOT bot client binary. It was not the smallest <i>downloader </i>I've seen in ELF samples all of these years but it does the job well. The binary is having this information:
<br>
<pre class="brush: js">
retrieve: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), 
          statically linked, stripped
MD5 (retrieve) = d0a7194be28ce86fd68f1cc4fb9f5d42
SHA1 (retrieve) = c98c28944dc8e65d781c8809af3fab56893efeef
1448 Feb 23 03:04 retrieve
</pre>

<p>Small enough to put all strings in binary in a small picture :)
<br>
<a href=https://lh3.googleusercontent.com/yWeqflT7K_Po9l8-IpExtZxZjERxVXg2qsPZd_lMCAPukADVMhishvsZQFct55Dkx85yqePcAcxkzYkoBLVfwW5UGYqOlatvbQZMf41sR4NOUe8xvtUKyszWYDMxPcbZ_49ltunWgX0=w938-h524-no><img src="https://lh3.googleusercontent.com/yWeqflT7K_Po9l8-IpExtZxZjERxVXg2qsPZd_lMCAPukADVMhishvsZQFct55Dkx85yqePcAcxkzYkoBLVfwW5UGYqOlatvbQZMf41sR4NOUe8xvtUKyszWYDMxPcbZ_49ltunWgX0=w580-h524-no"></a>

<p>The binary is a <i>plain and straight ELF file</i>, with normal headers intact, without any packing and so on, it contains the main execution part which is started at virtual address <b>0x838c </b>and it will right away call to 0x81e8 where the main activity are coded:
<br>
<pre class="brush: asm">
/ 388: entry0 ();
|       |   ; var int32_t var_14h @ sp+0x84
|       |   ; var int32_t var_12h @ sp+0x86
|       |   ; var int32_t var_10h @ sp+0x88
|       `=< 0x0000838c      95ffffea       b 0x81e8

- - - - - - - - - - 

[0x000081e8]> pd
|    ; CODE XREF from entry0 @ 0x838c
|    0x000081e8  f0412de9  push {r4, r5, r6, r7, r8, lr}
|    0x000081ec  74319fe5  ldr r3, [aav.aav.0x000083fd] 
|    0x000081f0  98d04de2  sub sp, sp, 0x98
|    0x000081f4  0080a0e3  mov r8, 0
:    0x000081f8  000000ea  b 0x8200
      :           :
</pre>
The other part is the data, where all values of variables are stored. it is located from virtual address <b>0x83f4</b> at <b>section..rodata (0x83fc)</b>, as per shown below:
<br>
<a href=https://lh3.googleusercontent.com/6baU8u9ZTWTQ1Oo7A6tQ4OQCJyAFxXsajvr2RH3zh7FWpeVLiYzAOXLGINKejWC3mDEbU4aH-xPcIaz1NYwavb8f5INZrpC_UQ0Z3wD4PkJA8VPp_uuh0JLfPl3Hr1t2bhQCGuM7s98=w975-h473-no><img src="https://lh3.googleusercontent.com/6baU8u9ZTWTQ1Oo7A6tQ4OQCJyAFxXsajvr2RH3zh7FWpeVLiYzAOXLGINKejWC3mDEbU4aH-xPcIaz1NYwavb8f5INZrpC_UQ0Z3wD4PkJA8VPp_uuh0JLfPl3Hr1t2bhQCGuM7s98=w580-h473-no"></a>

<p>To call the saved data the ELF is using below loader scheme that has been arranged by the compiler:
<br>
<a href=https://lh3.googleusercontent.com/IuyHsc2UwNfbvgO6u2LKp0c-kyhtexT-vcPImzc6s8v16v2IzZ4NFsbsojVyQn7gOSw4eVxC_wrJcov_CNIlLDovC7Bv9mlqM9e92_7Lom-UyYONMCbNha5egXFybDahka73vjW4P2E=w1150-h634-no><img src="https://lh3.googleusercontent.com/IuyHsc2UwNfbvgO6u2LKp0c-kyhtexT-vcPImzc6s8v16v2IzZ4NFsbsojVyQn7gOSw4eVxC_wrJcov_CNIlLDovC7Bv9mlqM9e92_7Lom-UyYONMCbNha5egXFybDahka73vjW4P2E=w580-h634-no"></a>
<br>To be noted that this scheme is unrelated to the malicious code itself.

<p>Next, the malware is stripped, so in radare2 you will see the name like <b>"fcn.00008xxx"</b>, for every function names, from the original function coded by the <i>mal-coder</i>, the used Linux calls and the system calls. So, at first, we have to put the right naming to the right function if we can (Please check out my previous blog about Linux/AirDrop [<a href="https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html">link</a>] for this howto reference). In my case, I restored its naming to the correct location, as per shown in the table like this:

<br>
<a href=https://lh3.googleusercontent.com/TI8GD7eTIRuEHvzdkuPGWnUSfFwjbWviGsnTfyGFRItL8ayu_pYSFILzVL48XpYocDQA9E1hZRCzNqBT_FS8OB8YaX2l_mtU54qOYw2pk90sb6KsFOcXWdcisZkxa0AWmLbxKuRVg5c=w771-h299-no><img src="https://lh3.googleusercontent.com/TI8GD7eTIRuEHvzdkuPGWnUSfFwjbWviGsnTfyGFRItL8ayu_pYSFILzVL48XpYocDQA9E1hZRCzNqBT_FS8OB8YaX2l_mtU54qOYw2pk90sb6KsFOcXWdcisZkxa0AWmLbxKuRVg5c=w400-h299-no"></a>
<br>Now we can start to read the code better, the next thing to do is writing the close-to-original C-code by adjusting several ARM assembly to form the code. Remember to be careful if you use the <i>decompilers</i>, you still have to recognize several parts that can not be processed automatically, in example, in<i> DFIR distro Tsurugi Linux</i> which is having radare2 precompiled with three versions of <i>decompiler </i>plugins, you will see a cool result like this from <b>r2ghidra-dec</b>, <b>r2dec </b>and <b>pdc</b>.
<br>
<a href=https://lh3.googleusercontent.com/9SN-gQd3_fC_j8MulWIuRKF5EIX9ecUT07YQsoSW2_pOR4w71XtEAbjuLAym86GEqUEWw7JfYCfoq5GWB5mGOl8Wad-kmsdSHPMhj-rgO0nTCSZ1hu6u8KaSPMoABF9J4Z8z5d9O8zc=w1390-h722-no><img src="https://lh3.googleusercontent.com/9SN-gQd3_fC_j8MulWIuRKF5EIX9ecUT07YQsoSW2_pOR4w71XtEAbjuLAym86GEqUEWw7JfYCfoq5GWB5mGOl8Wad-kmsdSHPMhj-rgO0nTCSZ1hu6u8KaSPMoABF9J4Z8z5d9O8zc=w580-h722-no"></a>
<br><i>I will demonstrate</i> this Linux distribution in the F<i>IRST annual conference 2020 at the lighting talk</i>, so please stay tune.

<p>After you put your naming to each functions, and try to form the original code by the guidance of your <i>decompiler</i>, then try to re-check again to your binary flow. This binary is quite small but it has several error trapping checks in the step of execution, please make sure you don't miss them. 

<a name=telnetloaderdissect>
<p>In my case I reversed the source code to be something like this:
<br></a>
<a href=https://lh3.googleusercontent.com/rTwNVYKOY90Q53NcZMp6QQedol2a0hSetHHhHXl96aI2EJrJv4Q6xclKRrDXTf9w8QpIX57dF_zM1kkCgOpn1mgHBJ-dGzrGpqqMID83DyZf0X78-FymhNb3WAInj5mwU4O6di8vR7c=w981-h702-no><img src="https://lh3.googleusercontent.com/rTwNVYKOY90Q53NcZMp6QQedol2a0hSetHHhHXl96aI2EJrJv4Q6xclKRrDXTf9w8QpIX57dF_zM1kkCgOpn1mgHBJ-dGzrGpqqMID83DyZf0X78-FymhNb3WAInj5mwU4O6di8vR7c=w580-h702-no"></a>

<p>At this moment we can understand how it works, after firstly confirming the binary is for <b>ARM5</b>, it wrote <b>"MIRAI"</b> and creating socket for TCP connection to remote IP <b>194(.)180(.)224(.)13</b> to fetch the download URL of the bot binary payload. And it open the <b>".t" </b>file with the specific <i>file executable permissions</i>, then saved the received data into that file. Upon socket creation error, or C2 connection error, or file creation error, or also data retrieving error, this program will just quit after writing <b>"NIF"</b>, and upon a success effort it will write <b>"FIN"</b>, close its working sockets and quit. A neat <i>downloader </i>is it? Simple, small and can support many scripting effort too, along with merit to hide its payload source, why Mirai botnet original author was using this type of binary loaders in the first place.

<p>The code I reversed won't work if used, since it is a pseudo code, compiler won't process it, but it is enough to explain how this binary operates, and also explains where is the origin of this program too. I know this by experience since I have been dissecting and following Mirai from the day one [<a href="https://en.wikipedia.org/wiki/Mirai_(malware)">0</a>][<a href="https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html">1</a>][<a href="https://imgur.com/a/53f29O9">2</a>][<a href="https://old.reddit.com/r/LinuxMalware/comments/7p00i3/quick_notes_for_okiru_satori_variant_of_mirai/">3</a>][<a href="https://old.reddit.com/r/LinuxMalware/comments/7qe8wf/first_arc_riscbase_core_targeted_elf_malware_was/">4</a>], but this <i>downloader </i>is based on Mirai downloader that has been modified by a certain actor, again a leaked code is proven recycling.

<a name=fbot3hexstring><br> </a>

<p>For the practical purpose to fast extracting the payload URL in this type of FBOT loader, I made a very practical reversing crash course in 4 minutes for the purpose as per embedded below:
<p>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/1cIxT09cH2k?controls=1" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<i><br>(pause the video by pressing space or click the video screen)</i>

<p>
<i><h2>2. x86-64 ELF bot client, what's new?</h2></i>

<p>Now we are done with the first binary, so it is the turn of the next binary. In the download server at the path of payloads resides several architecture of binaries too. That's where I picked the <b>ELF x86_64 </b>one for the next reversing topic. The detail is as follows:
<br>
<pre class="brush: js">
bot.x86_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), 
            statically linked, stripped
MD5 (bot.x86_64) = ae975a5cdd9fb816a1e286e1a24d9144
SHA1 (bot.x86_64) = a56595c303a1dd391c834f0a788f4cf1a9857c1e
31244 Feb 23 20:09 bot.x86_64*
</pre>
Let's check it out..

<p>The header and entry0 (and entropy values if you check further) of the binary is showing the sign of packed binary design.
<br>
<pre class="brush: asm">
Program Headers:

Type      Offset             VirtAddr           PhysAddr
          FileSiz            MemSiz              Flags  Align
LOAD      0x0000000000000000 0x0000000000400000 0x0000000000400000
          0x000000000000790c 0x000000000000790c  R E    200000
LOAD      0x0000000000000e98 0x000000000060fe98 0x000000000060fe98
          0x0000000000000000 0x0000000000000000  RW     1000
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
          0x0000000000000000 0x0000000000000000  RW     8

[Entrypoints]
vaddr=0x004067d0 paddr=0x000067d0 haddr=0x00000018 hvaddr=0x00400018 type=program

/ 2701: entry0 (int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg_10h);
| ===> 0x004067d0   e8cb0b0000     call 0x4073a0 <===to unpacking
|      0x004067d5   55             push rbp
|      0x004067d6   53             push rbx
|      0x004067d7   51             push rcx     
|      0x004067d8   52             push rdx     
|      0x004067d9   4801fe         add rsi, rdi 
|      0x004067dc   56             push rsi     
|      0x004067dd   4180f80e       cmp r8b, 0xe 
|  ,=< 0x004067e1   0f85650a0000   jne 0x40724c
:  :   0x004067e7   55             push rbp
           :         :
- - - - - - - - - - - - - - - - - - - - - - - 

/ 34: fcn.004073a0 (); <== unpacking function
|      ; var int64_t var_9h @ rbp-0x9
|      0x004073a0   5d             pop rbp
|      0x004073a1   488d45f7       lea rax, [var_9h]
|      0x004073a5   448b38         mov r15d, dword [rax]
|      0x004073a8   4c29f8         sub rax, r15
|      0x004073ab   0fb75038       movzx edx, word [rax + 0x38]
|      0x004073af   6bd238         imul edx, edx, 0x38
|      0x004073b2   83c258         add edx, 0x58               ; 88
|      0x004073b5   4129d7         sub r15d, edx
|      0x004073b8   488d0c10       lea rcx, [rax + rdx]
|      0x004073bc   e874ffffff     call fcn.00407335     
:              :       :            :
</pre>
The binary snippet code:
<br>
<a href=https://lh3.googleusercontent.com/qjAN218asTPrxSPxj45fuqk1sxBRgveGU1dBTwwe9qwRQ4-YQt7XEI_dELgWkmdbgoLtNELwFP6c1d2Ffh68ryt4enwlzqQQTtSCQ0fJUTsdZ0nChN-2ucJAbz25hDj5IQsW1v7Tb2M=w1636-h840-no><img src="https://lh3.googleusercontent.com/qjAN218asTPrxSPxj45fuqk1sxBRgveGU1dBTwwe9qwRQ4-YQt7XEI_dELgWkmdbgoLtNELwFP6c1d2Ffh68ryt4enwlzqQQTtSCQ0fJUTsdZ0nChN-2ucJAbz25hDj5IQsW1v7Tb2M=w580-h840-no"></a>

<p>The unpacking process will load the packed data in <b>0x004073c2 </b>for further unpacking process. You can check my talk in the <b>R2CON 2018</b> [<a href="https://blog.malwaremustdie.org/p/new-video-of-this-talk-has-just-been.html">link</a>] about many tricks I shared on unpacking ELF binaries for more reference to handle this binary.
<p>After unpacking you will get a new binary with characteristic similar to this:
<br>
<pre class="brush: asm">
fbot2-depacked: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), 
                statically linked, stripped
MD5 (fbot2-depacked) = bf161c87d10ecb4e5d9b3e1c95dd35da
SHA1 (fbot2-depacked) = 3aecd1ae638a81d65969c2e0553cfacc639f32a6
58557 Feb 23 13:03 fbot2-depacked
</pre>

<p>If you will see these strings that means you un-packed (or de-pakced) successfully.
<br>
<a href=https://lh3.googleusercontent.com/OtxlgR7dY1UnhMqh0Ogp505l7lShA-lxrLsf09oTXBfnwI1ZnoF4gMGXCIgra9PegYsLRDyAY7Gpr-O9R5ZiMT_QmvS75FeGRKRoaJ_nbnG3WPOCiWdHgps3kV97YakgBE41x1hQFz0=w1331-h944-no><img src="https://lh3.googleusercontent.com/OtxlgR7dY1UnhMqh0Ogp505l7lShA-lxrLsf09oTXBfnwI1ZnoF4gMGXCIgra9PegYsLRDyAY7Gpr-O9R5ZiMT_QmvS75FeGRKRoaJ_nbnG3WPOCiWdHgps3kV97YakgBE41x1hQFz0=w580-h944-no"></a>

<p>In the string above you can see the matched data with the infection log, which is telling us that this binary is actually infecting and attacking another IoT device for the next infection. You can see that hardcoded in teh binary in this virtual address:
<br>
<a href=https://lh3.googleusercontent.com/aYyDDs5EXrj2kdQTcJ0DxLi8BrWHvbfPusexBPkZG4f8S1LyrEoYbZJCUOYw7LDhr2hnFgfcyHLH-kd7cjW0bhwa39CW7bKxkmN1uyVJT8kJVFDnnCWusXfEgLI6dJnsK1XYZOJSndo=w1248-h634-no><img src="https://lh3.googleusercontent.com/aYyDDs5EXrj2kdQTcJ0DxLi8BrWHvbfPusexBPkZG4f8S1LyrEoYbZJCUOYw7LDhr2hnFgfcyHLH-kd7cjW0bhwa39CW7bKxkmN1uyVJT8kJVFDnnCWusXfEgLI6dJnsK1XYZOJSndo=w580-h634-no"></a>

<p>The binary is working similar to older Mirai variants like Satori, Okiru or others, and having several ELF downloaders embedded in the bot client to be pushed during the infection process to the targeted devices. It is hard coded as per seen in this data:

<br>
<a href=https://lh3.googleusercontent.com/PARlv0MgHUItevVHE7y0PYd3JBtX4uqDNyAJOoAxwWOSeoZTU5V2gRdhtni25KRBhT9xIpLUQQexXa-OlJ55RDFGHcmVxa5uPg-gOFekMfR001UiQoo_mZupwFMW42zoOZtJQGkij0A=w1229-h874-no><img src="https://lh3.googleusercontent.com/PARlv0MgHUItevVHE7y0PYd3JBtX4uqDNyAJOoAxwWOSeoZTU5V2gRdhtni25KRBhT9xIpLUQQexXa-OlJ55RDFGHcmVxa5uPg-gOFekMfR001UiQoo_mZupwFMW42zoOZtJQGkij0A=w580-h874-no"></a>

<p>The encrypted data part can be seen in this virtual address of the unpacked ELF:
<br>
<a href=https://lh3.googleusercontent.com/d6NhPk6CRnRtmmFwpWQVYUKqQnCyhKilLeWNC-xWWJg7H3MbhP-gRQGFEY4lqZkUKd-T3P1EXFKq01eFkQkgmmyPw7ABup6DmWul3Wz7h9JLXsST1dLKtvXH993Ivi72gxcuuGRksUM=w976-h896-no>
<img src="https://lh3.googleusercontent.com/d6NhPk6CRnRtmmFwpWQVYUKqQnCyhKilLeWNC-xWWJg7H3MbhP-gRQGFEY4lqZkUKd-T3P1EXFKq01eFkQkgmmyPw7ABup6DmWul3Wz7h9JLXsST1dLKtvXH993Ivi72gxcuuGRksUM=w580-h896-no"></a>

<p>This is where the pain coming isn't it? :) Don't worry, I will explain:
<p>The decryption flow is not changing much, however the logic for encryption is changing. It seems the <i>mal-coders</i> doesn't get their weakness yet and tried fixing a wrong part of the codes to prevent our reversing. Taking this advantage, you can use my introduced decryption dissection method explained in the previous post about Linux Mirai/FBOT [<a href="https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html">link</a>] to dissect this one too. It works for me, should work for you as well. 
<p>Below is my decryption result for encrypted configuration: 
<br>
<a href=https://lh3.googleusercontent.com/ZJ8quuNqH19u3OUbs0vR-_aWp2VVO4G0O1U2wl2N4G4-5c1ldlzy7Mo24VpMXQjaJwJJBG2eLYZZ8ba1HF6irRQbP_XMEgIwJikuH6fXuXf2VWxe_i-BEN-milla66ETzpELl7JbYls=w1439-h900-no>
<img src="https://lh3.googleusercontent.com/ZJ8quuNqH19u3OUbs0vR-_aWp2VVO4G0O1U2wl2N4G4-5c1ldlzy7Mo24VpMXQjaJwJJBG2eLYZZ8ba1HF6irRQbP_XMEgIwJikuH6fXuXf2VWxe_i-BEN-milla66ETzpELl7JbYls=w580-h900-no"></a>

<p>The binary will operate as per commonly known Mirai variant bots, it will listen to <b>TCP/3467</b> and callback to C2 at <b>194(.)36(.)188(.)157</b> on <b>TCP/4321</b> for the botnet communication purpose, and as per other Mirai variants the persistence factor is in the botnet communication. There are some parts taken from Satori and Okiru for embedding <i>downloaders</i> to be used in victim's IoT. The unique feature is the writing for <b>"9xsspnvgc8aj5pi7m28p\n"</b> strings upon execution. This bot client is enriched with more scanner functions (i.e. hardcoded SSDP request function to scan for plug-and-play devices that can be utilized as DDoS amplification,  in Mirai this attack will use spoofed IP address of the victims to launch attack). 

<p>For getting more idea of what this binary does, the strings from the unpacked binary I dumped it <a href=https://pastebin.com/qDdkEGFH>here in a safe <i>pastebin</i></a> source file. Combine the strings that I dumped from unpacked binary with the packed one under different sub_rules, and use the hardcoded unpacking functions opcodes for your Yara rules to detect this packer, hashes and IP from this post are useful also for IOC/Yara detection. VirusTotal can help to guide you more OSINT for the similar ones.

<p>I think that will be all for FBOT new binary updates. So let's move on to the much more important topic..reversing the botnet instance itself, how is the speed, spreads and how big, to understand how to stop them.

<a name=infectionspeed><br></a>
<p>
<h2>The "worrisome" infection speed, evasion tricks and detection ratio problem</h2>

<i><p><b>1. Infection and propagation rates of new FBOT</b></i>

<p>The new wave of infection of the new version is monitored rapidly, and the sign is not so good. 

<p>Since the firstly detected until this post was started to be written (Feb 22), FBOT was having <b>almost 600 infection IP addresses</b>, and due to low scale network monitoring we have, we can expect that the actual value of up to triple to what we have mentioned. Based on our monitoring the FBOT has been initially spread in the weaker security of IoT infrastructure networks in the countries sorted as per below table:
<br>
<a href=https://lh3.googleusercontent.com/w0SeIr8VGuYkkVPUDBCoeylbs-MjSrpYnmRRrh3iJhASkJ8JSy4fOTQTvMDvmXrsi0sdy3ZsWG1W8y_n40Rfsu2lFKrxdL4XXAr57M-TxoYdsAEb8n_ioQqULQvN54jt1DWyYpdvRFI=w563-h553-no>
<img src="https://lh3.googleusercontent.com/w0SeIr8VGuYkkVPUDBCoeylbs-MjSrpYnmRRrh3iJhASkJ8JSy4fOTQTvMDvmXrsi0sdy3ZsWG1W8y_n40Rfsu2lFKrxdL4XXAr57M-TxoYdsAEb8n_ioQqULQvN54jt1DWyYpdvRFI=w300-h553-no"></a>

<a name=olderfbotmap><br> </a>

<p>In the <i>geographical map</i>, the spotted infection as per February 22, 2020 is shown like this:
<br>
<a href=https://lh3.googleusercontent.com/V4Misw5yceVdoouUmakMRCMV7eiF7fRdzu79zoX1qa9DImNcaHtKrzztHL42dIJ9-fwv2Qi0LTTvWw-pg41vTPtGAFp2dnzVpUQnvqmh2TWkI6Wa7Qf8MUaaBf8vOAgkgFtKLrso0SM=w924-h527-no>
<img src="https://lh3.googleusercontent.com/V4Misw5yceVdoouUmakMRCMV7eiF7fRdzu79zoX1qa9DImNcaHtKrzztHL42dIJ9-fwv2Qi0LTTvWw-pg41vTPtGAFp2dnzVpUQnvqmh2TWkI6Wa7Qf8MUaaBf8vOAgkgFtKLrso0SM=w580-h527-no"></a>

<p>The IP addresses that are currently active propagating <b>Linux Mirai FBO</b>T infection up to February 22, 2020 can be viewed <a href="https://pastebin.com/8n9G964c">as a list in this safe <i>pastebin</i></a> link, or as <a href="https://gist.github.com/unixfreaxjp/0511f4cac942413b7c0225dc4a19e0ff">full table with network information</a>. 

<p>The IP counts is growing steadily, please check and search whether your network's IoT devices are affected and currently became a part of Mirai FBOT DDoS botnet. The total infection started from around <b>+/- 590 nodes</b>, and it is increasing rapidly to <b>+/- 930 nodes</b> within <i><b>less than 48 hours</b></i> afterwards from my point of monitoring. I will try to upgrade the data update more regularly.

<p><a href="https://lh3.googleusercontent.com/x6BKNIzta2p8WZQMm94yDDrVRyDQz6Dwp0Mppkw7uF3kvmQhIHYRPO5faf7_jOs_2FcVSO1EqarhROg5G3JtMPfP0D7o3o8RpXsd9dN--yHrurfl6dvsQbgEFbXjcrgW-BjZW0enUCw=w1408-h759-no"><img src="https://lh3.googleusercontent.com/x6BKNIzta2p8WZQMm94yDDrVRyDQz6Dwp0Mppkw7uF3kvmQhIHYRPO5faf7_jOs_2FcVSO1EqarhROg5G3JtMPfP0D7o3o8RpXsd9dN--yHrurfl6dvsQbgEFbXjcrgW-BjZW0enUCw=w580-h759-no"></a>

<i><p><b>2. Update information on FBOT propagation speed (Feb 24, 2020)</b></i>

<p>I just confirmed the infection nodes of FBOT is growing rapidly from February 22 to February 24, 2020. Within less than 48 hours the total infected nodes is raising from +/- 590 nodes to +/- 930 nodes. In the mid February 25 the total infection is 977 nodes. After the botnet growth disclosure the speed of infection has dropped from average 100 nodes new infection to 20 devices per day, concluded the total botnet of infected IP on March 2, 2020 is +/- 1,410 devices.

<p>The speed of infection is varied in affected networks (or countries), and that is because the affected device topology is different. I managed to record the growth of the nodes from my point of monitoring under the table shown below from top 15 infection rank, we will try the best to update this table.
<br>
<pre class="brush: asm">
Mirai FBOT Infection growth,
From Feb 22 to Feb 25, 2020 JST     
-------------------------------------------
Country  Feb22    Feb24    Feb25     Feb25
                           (day)    (night)
         (582)    (932)    (977)    (1086)
-------------------------------------------
Taiwan   190   =>  284  =>  302   =>  340
HongKong 107   =>  132  =>  132   =>  140
Vietnam  109   =>  134  =>  135   =>  139
Korea      6   =>   74  =>   84   =>  104
China     40   =>   74  =>   79   =>   93
Russia    14   =>   29  =>   31   =>   35
Brazil    19   =>   27  =>   28   =>   30
Sweden    13   =>   26  =>   26   =>   27
India      7   =>   21  =>   22   =>   24
USA       15   =>   17  =>   17   =>   20
Ukraine    4   =>   14  =>   15   =>   15
Poland     7   =>   10  =>   10   =>   10
Turkey     0   =>    4  =>    6   =>    9
Romania    4   =>    6  =>    7   =>    7
Italy      3   =>    6  =>    6   =>    6
Canada     4   =>    5  =>    5   =>    6
Norway     3   =>    5  =>    5   =>    6
Singapore  3   =>    5  =>    5   =>    6
Colombia   1   =>    4  =>    4   =>    6
France     2   =>    4  =>    5   =>    5
------------------------------------------
Average spread speed = +/- 100 nodes/day-
as per Feb 25, 2020 - malwaremustdie,org    
</pre>

<p>The February 24, 2020 Mirai FBOT infection information update (mostly are IoT's nodes), in a list of unique IP addresses can be viewed in ==>[<a href="https://pastebin.com/vvdtvwsD">here</a>].  
<br>For the network information of those infected nodes can be viewed in ==>[<a href="https://gist.github.com/unixfreaxjp/0b3e44a58dce33a3a41855da521a8128">here</a>].

<p>The February 25 (daylight/JST), 2020 Mirai FBOT infection information update, in a list of unique IP addresses can be viewed in ==>[<a href="https://pastebin.com/r5pxcBay">here</a>]. 
<br>For the network information of those infected nodes can be viewed in ==>[<a href="https://gist.github.com/unixfreaxjp/be7fde13bcc43bc6d3e7fa9c8ea96f96">here</a>].

<p>The February 25 (midnight/JST), 2020 Mirai FBOT infection information update, in a list of unique IP addresses can be viewed in ==>[<a href="https://pastebin.com/BR274XZ9">here</a>]. 
<br>For the network information of those infected nodes can be viewed in ==>[<a href="https://gist.github.com/unixfreaxjp/cf5a7845baa47579b6d0736b9c7a20d4">here</a>].

<p>On February 26, 2020 Mirai FBOT botnet has gained new <b>128 nodes</b> of additional IOT IP, I listed those in ==>[<a href="https://gist.github.com/unixfreaxjp/557273ec855d90ea92913865f79946e1">here</a>]

<p>On February 27, 2020 Mirai FBOT botnet has gained new <b>74 nodes</b> of additional IOT IP, I listed those in ==>[<a href="https://gist.github.com/unixfreaxjp/c1e2549842ba7523f8c5b860b3b7d181">here</a>]

<p>On March 2, 2020 Mirai FBOT botnet has infected <b>1,410 nodes</b> of IoT devices all over the globe. I listed those networks in here ==>[<a href="https://gist.github.com/unixfreaxjp/7a7c546274b6ff9c7d529d9411db0b6d">here</a>] for the incident handling purpose, if we breakdown the data per country it will look as per info below: 

<p><blockquote class="twitter-tweet"><p lang="en" dir="ltr">Last status of <a href="https://twitter.com/hashtag/Mirai?src=hash&amp;ref_src=twsrc%5Etfw">#Mirai</a> <a href="https://twitter.com/hashtag/Fbot?src=hash&amp;ref_src=twsrc%5Etfw">#Fbot</a> infection:<br>Hit cycle total = 5177<br>Actual alive IP = 1404<br>Rank:<br>Taiwan: 432<br>Vietnam: 186<br>S.Korea: 155<br>HongKong: 149<br>PRC/China: 126<br>Russia: 50<br>India: 39<br>Brazil: 36<br>Sweden: 31<br>United States: 27<br>Ukraine: 17<br>Turkey: 10<br>Poland: 10<br>Japan: 10<a href="https://twitter.com/hashtag/MalwaremustDie?src=hash&amp;ref_src=twsrc%5Etfw">#MalwaremustDie</a></p>&mdash; &#9769;MalwareMustDie (@malwaremustd1e) <a href="https://twitter.com/malwaremustd1e/status/1234306694416494592?ref_src=twsrc%5Etfw">March 2, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

<p>In the above data you see the "hit cycle" values, which is a value explaining the frequency of the botnet infected IoT in trying to infect other devices and recorded.

<p>The latest renewed data we extracted is on March 4, 2020, where Mirai FBOT botnet has infected <b>1,430 nodes</b> of IoT devices. I listed their IP addresses in here ==>[<a href="https://pastebin.com/SyceY8JF">link</a>] with the network info is in here ==>[<a href="https://gist.github.com/unixfreaxjp/97f8d74088a2255c417717cb8fe508ef">link</a>]. This is our last direct update for the public feeds since the process is taking too much resources, and the next of data can only be accessed at IOC sites.

<p>If you would like to know what kind of IOT devices are infected by Mirai Fbot malware, a nice howto in extracting those device information is shared by <b>Msr. Patrice Auffret</b> (thank you!) of <b>ONYPHE </b>(Internet SIEM) in his blog post ==>[<a href="https://www.onyphe.io/blog/analyzing-mirai-fbot-infected-devices-found-by-malwaremustdie/">link</a>]. 

<p>The maximum nodes of Mirai FBOT botnet in the past <b>was around five thousands nodes</b>, we predicted this number (or more) is what the adversaries are aiming now in this newly released campaign's variant. However, after the awareness and analysis post has been published the growth ratio of the new Fbot botnet is starting to drop. The overall volume and growth for this new Mirai Fbot variant can be viewed as per below graph:

<br><a href="https://lh3.googleusercontent.com/IH9FxENGm31pWpfiH4lCuWvZJA_vDVbciT6TMW7SXd2PCoCJfBvMkBeZHuZR0mGPC5HofvAmT-xnTzAnaTNiGbq-EgXIJPnsbSIN9Qxo5F6ZSFDGY6Az79xFV7tyvYV2XGz-k97Mn8I=w934-h575-no"><img src="https://lh3.googleusercontent.com/IH9FxENGm31pWpfiH4lCuWvZJA_vDVbciT6TMW7SXd2PCoCJfBvMkBeZHuZR0mGPC5HofvAmT-xnTzAnaTNiGbq-EgXIJPnsbSIN9Qxo5F6ZSFDGY6Az79xFV7tyvYV2XGz-k97Mn8I=w580-h575-no"></a>

<p>In order to reduce the threat from escalation process, it would be hard to block the whole scope of the infected IoT networks, but one suggested effective way to mitigate this threat is making efforts to clean them up first from the infection, and then control the IoT infrastructure into always be into recent secure state along with replacing their firmware, or even their hardware if needed. If you don't take them under your control, sooner or later the adversaries will come and they will do that in their botnet.

<i><p><b>3. About the C2 nodes</b></i>

<p>The C2 hosts, which are mostly serving the Mirai FBOT payloads and panels, <b>are highly advisable for the blocking </b>and further legal investigation. The C2 IP address data, their activity and network information that has been detected from our point is listed in a chronological activity time line as per below detail:

<br><a href="https://lh3.googleusercontent.com/xkbAMzn34VxNKMbkK5qHU8ssigLc9_pK6q-0tBUVSdzCD4AIVstAyn6mQ4yM6XCbqSpM-JIJXBQfi4uK-WE9LEsmJ9G1MqDijr7LCj3F5ilRG_OXUKRWfr1OndcaL_gVkXoQIkFYFKs=w1010-h317-no"><img src="https://lh3.googleusercontent.com/xkbAMzn34VxNKMbkK5qHU8ssigLc9_pK6q-0tBUVSdzCD4AIVstAyn6mQ4yM6XCbqSpM-JIJXBQfi4uK-WE9LEsmJ9G1MqDijr7LCj3F5ilRG_OXUKRWfr1OndcaL_gVkXoQIkFYFKs=w580-h317-no"></a>

<p>A month ago, when I wrote about the new encryption of Mirai Fbot [<a href="https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html">link</a>], the C2 nodes were spotted in the different locations as per listed in the below table, and even now you can also still see the older version of Mirai Fbot malware running on infected IoT too, that has not been updated to new variant are having traffic to these older C2:

<br><a href="https://lh3.googleusercontent.com/2ThM1eiiZKnbEbRhsApB8_gUtZMz1umOmHlhX8RDi0O9b7dEN_JHMYgN6ps0F7zD9O9BUX4eaPvJlY_bB9qNhjXw4gxPBGOpXqvkTZHc6MbwsNtVGtFsqkqG_kY6Qw12hglfoCeLU90=w1367-h167-no"><img src="https://lh3.googleusercontent.com/2ThM1eiiZKnbEbRhsApB8_gUtZMz1umOmHlhX8RDi0O9b7dEN_JHMYgN6ps0F7zD9O9BUX4eaPvJlY_bB9qNhjXw4gxPBGOpXqvkTZHc6MbwsNtVGtFsqkqG_kY6Qw12hglfoCeLU90=w580-h167-no"></a>

<p><i>This information is shared for the incident and response follow up and IoT threat awareness purpose to support mitigation process at every affected sides. At this moment we saved the timestamp information privately due to large data, to be shared through ISP/Network CSIRT's routes.</i>

<i><b><p>4. The detection ratio, evasion methods, IOC & what efforts we can do</b></i>

<p>The detection ratio of the packed binary of new <b>Linux Mirai FBOT</b> is not high, and contains misinformation. This is caused by the usage of <i>packer </i>and the encryption used by the malware itself. The current detection ratio and malware names can be viewed in [<a href=https://www.virustotal.com/gui/file/07bf82f007ccb4b8bf455c67837606c738b8d9f4ec0ab85f36793470967900c0/community>this URL</a>] or as per screenshot below:
<br>
<a href=https://lh3.googleusercontent.com/Yq6k1WrQa6NXrriZoLgn9Vuv8egkN4aoANB_91tLraPaYJigiRtRHhOVIcEPlhbaObUTdGGMOhNDt-2uUTNk_tp4v_jdnkYciqQFpqwb7ZS6DBUn3hHBW7t2Mobi-6haFkulufK7x4A=w1180-h653-no>
<img src="https://lh3.googleusercontent.com/Yq6k1WrQa6NXrriZoLgn9Vuv8egkN4aoANB_91tLraPaYJigiRtRHhOVIcEPlhbaObUTdGGMOhNDt-2uUTNk_tp4v_jdnkYciqQFpqwb7ZS6DBUn3hHBW7t2Mobi-6haFkulufK7x4A=w580-h653-no"></a>

<p>In the non-intel architecture the detection ratio can be as bad as this one:
<br>
<a href="https://lh3.googleusercontent.com/m4a1dw9fnBlht_3FVlEQ_JfAsly0OUrieGnXQNPKnaCtQ9koQwrXFgWj0qQgt6lKayiOmKwIZUOlvyusmPnNOPj9ajHMWz4cEDPDIMfBGPNbEioGtG-gKOSBuIDsIj6TgTntg4Pjgtc=w2386-h1186-no"><img src="https://lh3.googleusercontent.com/m4a1dw9fnBlht_3FVlEQ_JfAsly0OUrieGnXQNPKnaCtQ9koQwrXFgWj0qQgt6lKayiOmKwIZUOlvyusmPnNOPj9ajHMWz4cEDPDIMfBGPNbEioGtG-gKOSBuIDsIj6TgTntg4Pjgtc=w580-h1186-no"></a>

<p>So, the detection ratio is not very good and it is getting lower for the newly built binaries for IoT platform. The usage of packer is successfully evading anti virus scanning perimeter. But you can actually help all of us to raise detection ratio <b>by sending samples</b> for this related threat to the VirusTotal and if you see unusual samples and you want me to analyze that, please send it to me through ==> [<a href="https://blog.malwaremustdie.org/p/send-sample.html">this interface</a>]. Including myself, there are many good folks joining hands in investigating and marking which binaries are the Linux/Mirai FBOT ones, that will bring improvement to the naming thus detection ratio of this variant's Linux malware.

<p>The <i>signature and network traffic scanning's</i> evasion tricks of new Mirai Fbot binaries is not only by utilizing <b><i>"hexstring-push"</i></b> method, but the <b><i>usage of packer</i></b>, <b><i>embedded loaders in packed binary</i></b> & <b><i>stronger encryption in config  data</i></b> that is actually contains some block-able HTTP request headers. By leveraging these aspects these Mirai FBOT now has successfully evaded current setup perimeters and is doing a high-speed infection under our radars. This is the evasion tricks used by the adversaries that our community should concern more in the future, it will be repeated again and maybe in a better state, since it is proven works.

<p>The IOC for this threat contains more than 1,000 attributes and is having sensitive information, it is shared in MISP project (and also at the OTX) with the summary as per below. The threat is on-going, the threat actors are watching, please share with OPSEC intact:

<p><a href="https://lh3.googleusercontent.com/EMTAcpHfXI3zGTwX3qgymxbueDWQAu42ixG7q6A-gvhkrrDMRYQ5j9T01o9e3ovyZKJsQV6yywyY5tChkNeVfm1jdV2-uj2tkFiDJng_xdmvroEWgvo4GPsgThcQdDXPEdG8QaoKRzs=w1067-h692-no"><img src="https://lh3.googleusercontent.com/EMTAcpHfXI3zGTwX3qgymxbueDWQAu42ixG7q6A-gvhkrrDMRYQ5j9T01o9e3ovyZKJsQV6yywyY5tChkNeVfm1jdV2-uj2tkFiDJng_xdmvroEWgvo4GPsgThcQdDXPEdG8QaoKRzs=w580-h692-no"></a>

<p>In our monitoring effort up to <b>(March 3, 2020)</b> the botnet IP addresses <b>has volume about +/- 1,424</b>. You can use the data posted in MISP event to re-map them into your new object templates for IOT threat classification & correlation, to follow the threat infection progress and its C2 activity better, to combine with your or other other monitoring resources data/feeds.

<p><b>[UPDATE]</b> In our latest monitoring up to <b>(April 17, 2020)</b> this botnet <b>has volume about +/- 1,546</b> IP addresses [<a href="https://gist.github.com/unixfreaxjp/5f73a5c89a81935c552d5613b6086959">-1-</a>] [<a href="https://pastebin.com/Sw8rNU7s">-2-</a>].

<a name=echoloader>
<p><h2>[NEW] Another <b>FBOT </b>"hexstring" downloader, the "echo" type</h2></a>

<p>There is <b>FBOT </b>pushed hexstring that is smaller in size. If you see the infection log there is a slight difference after hextrings pushed at  <b>"./retrieve; ./.t telnet;"</b> and  <b>"./retrieve; ./.t echo"</b>, the token of "<b>telnet</b>" [<a href="https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html#telnetloader">link</a>] and "<b>echo</b>" is the difference, both token are coming from different built versions of <b>FBOT </b>scanner/spreader functions. 
<p>
<a href="https://lh3.googleusercontent.com/Nr7fHlWSnDBCCgw7pPznsYXJ3dDPmOnm4NlUfjdxOPSQRaD7lg34loAwoZop_ivfU8IKOV2oHzuL3cXCnucCx63hkf-LaY2eco58K_ddJ1u9WWcR0zFVAmdWZQraQQk0dbJF4TXJcY4=w1771-h840-no"><img src="https://lh3.googleusercontent.com/Nr7fHlWSnDBCCgw7pPznsYXJ3dDPmOnm4NlUfjdxOPSQRaD7lg34loAwoZop_ivfU8IKOV2oHzuL3cXCnucCx63hkf-LaY2eco58K_ddJ1u9WWcR0zFVAmdWZQraQQk0dbJF4TXJcY4=w580-h840-no"></a>

<p>We have covered the "<b>telnet</b>" one in the beginning of this post [<a href="https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html#telnetloaderdissect">link</a>], now let's learn together on how the "<b>echo</b>" loader's one works in this additional chapter. It is important for people who struggle to mitigate IoT new infection to understand this analysis method, in order to extract C2 information automatically from a specific offset address in the pushed binary of specific pushed "<i>hexstring</i>" types. In my case I am using a simple python script to automatically extracting C2 data from several formats of hexstring attacks, and it works well. 

<p>
<a href="https://lh3.googleusercontent.com/AQYvJMDCb56JJ7BHwI7n5SYOQGQGUFzCFr6UNjKQsggWkeZaMi_DEVrROtvzXSdfaoHAhM2BISmowSxpwPAA5Ngvq2g5GAhZuce69cJJGvg73u_gWgdTO4mivf-4unt3JxrRdNloPFE=w881-h500-no"><img src="https://lh3.googleusercontent.com/AQYvJMDCb56JJ7BHwI7n5SYOQGQGUFzCFr6UNjKQsggWkeZaMi_DEVrROtvzXSdfaoHAhM2BISmowSxpwPAA5Ngvq2g5GAhZuce69cJJGvg73u_gWgdTO4mivf-4unt3JxrRdNloPFE=w580-h500-no"></a>

<p>The pushed binary in the "<b>echo</b>" version is smaller, it's about <b>1180 bytes</b> [<a href="https://pastebin.com/raw/ESeYP7bK">link</a>] and working (and coded) in slightly different way. But how different is it? Why is it different? Where is it coming from? We need to reverse it to answer these questions. Let's start with seeing what it looks like.

<p>The saved blob of the binary looks like this, I marked the part of where IP address of the payload server is actually coded:

<p>
<a href="https://lh3.googleusercontent.com/CnsOAx3547kwz8v13mDWDRHfznjhe75NtZSv_j8dybc1EQrOcxiCgPqBh_nFPV5NxsBcd7ZNWu4RCw3xU2b9J2jzyNTisI4ORajZx-eUwiQ7oCeUeuBkQ1B-p_GnuK-pbvYAAE1xYFg=w901-h866-no"><img src="https://lh3.googleusercontent.com/CnsOAx3547kwz8v13mDWDRHfznjhe75NtZSv_j8dybc1EQrOcxiCgPqBh_nFPV5NxsBcd7ZNWu4RCw3xU2b9J2jzyNTisI4ORajZx-eUwiQ7oCeUeuBkQ1B-p_GnuK-pbvYAAE1xYFg=w580-h866-no"></a>

<p>Now let's start dissecting it. But beforehand, since I've been still asked questions on reversing ARM stripped binaries, so I will make this additional chapter explanation clearer, in steps, for you. All you have to do is downloading and using <b>Tsurugi DFIR Linux SECCON version</b> [<a href="https://blog.0day.jp/p/20191218.html">link</a>] that I use for this, then fire the pre-installed <b>radare2</b> to load the binary of this example (again, it is <b>ARM Embedded ABI</b> arch made by ARM ltd [<a href="https://developer.arm.com/docs/ihi0036/c/application-binary-interface-for-the-arm-architecture-the-base-standard-abi-2018q4-documentation">link</a>], a default port in Linux Debian for ARM architecture, the blob of binary is a <b>little endian</b>  binary in ELF [<a href="https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/">link</a>] 32bits, hence many are calling this architecture as "<b>armel</b>"), and our reverse engineering result should be the same :) 

<p>Another embedded Linux binary reversing guidance I wrote (in a different architecture), which is about analyzing a <b>MIPS big endian</b> ELF, that is also talking about a different and more complex process on a new  IoT malware, you can read it on another post in here ==>[<a href="https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html">link</a>], as the next step after you get through this exercise. 

<p>If you want to practice more reversing on small size ELF sample, for the ARM architecture I have this sample written at this sub-section for you==>[<a href="https://blog.malwaremustdie.org/2016/10/mmd-0058-2016-elf-linuxnyadrop.html#s">link</a>]. And for <b>Intel x86 architecture 32bits</b> I have <b>two other </b>reversing posts that you can use to practice during corona virus isolation time, they are in  here==>[<a href="https://blog.malwaremustdie.org/2014/09/linux-elf-bash-0day-fun-has-only-just.html">link1</a>] and [<a href="https://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.html">link2</a>]. Please hang in there!

<p>The attribute (file information) of this binary, if you save it correctly, is like this: 

<pre class="brush: js">
MD5 (retrieve2) = d2cb8e7c1f93917c621f55ed24362358
retrieve2.bin: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), 
               statically linked, stripped
strings: GET /fbot.arm7 HTTP/1.0
1180 Mar 14 21:50 retrieve2.bin*
</pre>

<p>You can start with going to this virtual address at <b>819c </b>(it's <b>0x0000819c</b> in your radare2 interface) and print the disassembly in the function with <b>"pdf"</b> after analyzing the whole binary and the entry0 (this) function (<b>af</b>). In order to get you to a specific address in a binary you can use command <b>"s {address}"</b> (<b>s</b> means <b>seek</b>), in this example type: <b>s 0x0000819c</b>.

<p>
<a href=https://lh3.googleusercontent.com/US45XFWheJGONYV3v3y5ky1RLzB9fVIhPQeMu-XEAaFjC6Y33M_i8Ta3_qCnGweHNUcsU7VDxJFVlJMI_I0xPcfoj56O0PimFXpQJST1rajRG6IRARBcPclnckzI9LPl1DVlfgY9hR4=w1157-h940-no><img src="https://lh3.googleusercontent.com/US45XFWheJGONYV3v3y5ky1RLzB9fVIhPQeMu-XEAaFjC6Y33M_i8Ta3_qCnGweHNUcsU7VDxJFVlJMI_I0xPcfoj56O0PimFXpQJST1rajRG6IRARBcPclnckzI9LPl1DVlfgY9hR4=w580-h940-no"></a>

<p>This is the main operational function of the loader, but the symbol of this <b>ELF </b>has been "<i>stripped</i>" made function names are not shown, so we don't know much of its operation. We can start to check how many functions are they. Here's a trick command in radare2 to check how many functions are used or called from this main operational routine:
<pre class="brush: asm">
:> af
:> pdsf~fcn
0x000081c4 bl fcn.00008168 fcn.00008168
0x000081d4 fcn.000080c0 fcn.000080c0
0x000081e4 bl fcn.000080e0 fcn.000080e0
0x000081f0 fcn.000080c0 fcn.000080c0
0x00008200 bl fcn.00008110 fcn.00008110
0x0000820c fcn.000080c0 fcn.000080c0
0x00008228 bl fcn.0000813c fcn.0000813c
0x00008234 fcn.000080c0 fcn.000080c0
0x00008258 bl fcn.0000813c fcn.0000813c
0x00008274 bl fcn.00008110 fcn.00008110
0x00008280 bl fcn.000080c0 fcn.000080c0
:> aflt
.--------------------------------------------------------------------.
| addr        | size  | name          | nbbs  | xref  | calls  | cc  |
)--------------------------------------------------------------------(
| 0x0000829c  | 264   | entry0        | 7     | 5     | 5      | 3   |
| 0x000082a0  | 88    | fcn.000082a0  | 2     | 7     | 1      | 1   |
| 0x00008300  | 44    | fcn.00008300  | 1     | 3     | 0      | 1   |
| 0x00008168  | 44    | fcn.00008168  | 1     | 1     | 1      | 1   |
| 0x000080c0  | 32    | fcn.000080c0  | 1     | 5     | 1      | 1   |
| 0x000080e0  | 44    | fcn.000080e0  | 1     | 1     | 1      | 1   |
| 0x00008110  | 44    | fcn.00008110  | 1     | 2     | 1      | 1   |
| 0x0000813c  | 44    | fcn.0000813c  | 1     | 2     | 1      | 1   |
`--------------------------------------------------------------------'
</pre>
<br>These are the all used functions, not so much, so please try to dissect this with <b>static analysis</b> only, you don't need to execute any sample, yet, please do this under virtual machine to follow below guidance to do so.

<p>Now, let's use my howto reference ==>[<a href="https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html#syscallnaming">link</a>] to put the syscall function name and guess-able function name if any into the places. After you figured the function, run the script below in your radare2 shell to register your chosen naming to those virtual addresses where the functions are started:
<pre class="brush: asm">
:> s 0x0000813c ; afn ____sys_read
:> s 0x00008110 ; afn ____sys_write
:> s 0x000080e0 ; afn ____sys_connect
:> s 0x000080c0 ; afn ____sys_exit
:> s 0x00008168 ; afn ____sys_socket
:> s 0x000082a0 ; afn ____svc_0
</pre>

<p>So you will find the nice table result looks like this:
<pre class="brush: asm">
:> aflt
.--------------------------------------------------------------------.
| addr        | size  | name           | nbbs  | xref  | calls  | cc  |
)---------------------------------------------------------------------(
| 0x0000829c  | 264   | entry0         | 7     | 5     | 5      | 3   |
| 0x000082a0  | 88    | svc_0          | 2     | 7     | 1      | 1   |
| 0x00008300  | 44    | to_0xFFFF0FE0  | 1     | 3     | 0      | 1   |
| 0x00008168  | 44    | ____sys_socket | 1     | 1     | 1      | 1   |
| 0x000080c0  | 32    | ____sys_exit   | 1     | 5     | 1      | 1   |
| 0x000080e0  | 44    | ____sys_connect| 1     | 1     | 1      | 1   |
| 0x00008110  | 44    | ____sys_write  | 1     | 2     | 1      | 1   |
| 0x0000813c  | 44    | ____sys_read   | 1     | 2     | 1      | 1   |
`--------------------------------------------------------------------'
</pre>

<p>In figuring a correct <b>system call</b> (in short = <b>syscall</b>) name in this binary, you should find a number of which syscall is actually going to be called (known as <b>syscall_number</b>), and for that <b>svc_0</b> is the function/service <b>to translate the requests</b> to pass it (alongside with its arguments) <b>to the designated syscall</b>. This is why I listed the functions in <b>82a0 </b>and <b>8300</b>, which are the <b>svc_0</b> and its component, and they both are used for <b>syscall translation</b> purpose.

<p>The functions in addresses of: <b>80c0</b>, <b>80e0</b>, <b>8110</b>, <b>813c </b>and <b>8168 </b>are the <b>"syscall_wrapper"</b> functions [<a href="http://man7.org/linux/man-pages/man2/intro.2.html">link</a>] that needs a help from <b>svc_0</b> to perform their desired system call operations (to trap to kernel mode to invoke a system call). In our case, one of the argument in the <b>syscall wrapper function</b> will define a <i>specific </i><b>syscall_number</b> when the wrapper functions are called from this main routine. The <b>svc_0</b> is processing that passed argument to point into a right <b>system call function</b> translated in the <b>syscall table</b>, and then to pass additional argument(s)needed for the operation of the designated syscall afterward, that's how it works in this binary.

<p>So in the simple logic, the <b>syscall_wrapper</b> looks like this:<br>
<pre class="brush: cpp">
@ SOME_ADDRES_SYSCALL_WRAPPER
int ____sys_SOME_SYSCALL(int arg)
 { 
    return svc_0(SYSCALL_NUMBER, arg); 
 }
</pre>

<p>The above code can be further applied better in every wrapper functions as per below:<br>
<pre class="brush: cpp">
@ 0x00080c0
int ____sys_exit(int arg)
{ return svc_0(1, arg); }

@ 0x00080e0
int ____sys_connect(int arg)
{ return svc_0(283, arg); }

@ 0x0008110
int ____sys_write(int arg)
{ return svc_0(4, arg); }

@ 0x000813c
int ____sys_read(int arg)
{ return svc_0(3, arg); }

@ 0x0008168
int ____sys_socket(int arg)
{ return svc_0(281, arg); }
</pre>

<p>Those numbers of "1", "3", "4", "281" and "283" are all <b>the syscall numbers</b> that the designated Linux OS will translate them to the correct system call according to the kernel's provided <b>syscall table</b> in the file:<br>
<pre class="brush: asm">
/usr/include/{YOUR_ARCH}/asm/unistd_{YOUR_BIT}.h
</pre>
I hope up to this point you can understand  how to figure the syscalls used in this stripped ARM ELF binary, a little bit different than the MIPS one but the concept is the same, there is a syscall_wrapper functions, there is the syscall translator service, the number and a table to translate them, and voila! You know what the syscall name is, and you're good to go to the next step! 

<p>..just remember that we are still at virtual address <b>0x00008198 </b>that's referred form <b>entry0 </b>with b ARM assembly command. Go back to the entry0 and after analysis you can print again the assembly, and under it (scroll down if you need), you should see the renamed functions are referring to the <b>syscall wrapper (svc_0)</b> in the result now. 

<p>
<a href=https://lh3.googleusercontent.com/wHewBqTfRRnN2cfYpkh-GYyZQE91MHSPucnbBjKOjnVzESnqfxyn9MLYNQLL6jJBZc00d7A_Rm-wIG_bxcsECgHtNv908Oc6u-WW8A0BrG-H7NLSnj-0WtN8c0Oh8t5mt6XH3V_iZLQ=w991-h625-no><img src="https://lh3.googleusercontent.com/wHewBqTfRRnN2cfYpkh-GYyZQE91MHSPucnbBjKOjnVzESnqfxyn9MLYNQLL6jJBZc00d7A_Rm-wIG_bxcsECgHtNv908Oc6u-WW8A0BrG-H7NLSnj-0WtN8c0Oh8t5mt6XH3V_iZLQ=w500-h625-no"></a>

<p>And then you can go to address <b>0x0000819c </b>again and print out the disassembly result, which is now it is showing the function namings :) yay!

<p>
<a href=https://lh3.googleusercontent.com/2sd8gn5xGSKmMfxq_Vo9UJpbD_mU0qga0NgTYM8J4vO3ywQihLHxGxvhRcrfwZDOO5v-3zIJY6NGlu-2hJJP_TDwJ0v7NatapI2bzo_H9PPkxh9RyHbxUP2LbB_Ej9OmOOliz8XH1mc=w1515-h945-no><img src="https://lh3.googleusercontent.com/2sd8gn5xGSKmMfxq_Vo9UJpbD_mU0qga0NgTYM8J4vO3ywQihLHxGxvhRcrfwZDOO5v-3zIJY6NGlu-2hJJP_TDwJ0v7NatapI2bzo_H9PPkxh9RyHbxUP2LbB_Ej9OmOOliz8XH1mc=w580-h945-no"></a>

<p>For reverser veterans maybe up to this step is enough to read how this binary works, but for beginners that is not yet familiar with non-Intel architecture maybe you will need to follow these next steps too. 

<p>Let's now fire the <b>r2Ghidra-dec</b> (or <b>r2dec</b>) to disassembly the function, use the additional command option "o" in the end of <b>"pdg"</b> to see the offset (You can use <b>pdda </b>for <i>r2dec</i>).

<p>
<a href=https://lh3.googleusercontent.com/GMR1ov38kYl3YYX-AAgGRbIyaR0Zj6I2TaM1lu332Ylcu6rvL1LC0clKFukzp_WmbFfmP20vn6BH-GD0TF2aEh03cdVqxoo-CdQlcctlpHuCZtKrAaQTyuA_dMxFEUYLoFPIEbd1yIo=w1828-h813-no><img src="https://lh3.googleusercontent.com/GMR1ov38kYl3YYX-AAgGRbIyaR0Zj6I2TaM1lu332Ylcu6rvL1LC0clKFukzp_WmbFfmP20vn6BH-GD0TF2aEh03cdVqxoo-CdQlcctlpHuCZtKrAaQTyuA_dMxFEUYLoFPIEbd1yIo=w580-h813-no"></a>
<i>
<br>(Pardon to my poorly chosen naming on variables that may confuse you, like, connect_length which is more to string_length used for write(), etc)</i>

<p>You may want to know a way my reading IP address in hex fast by radare2:<br>
<a href="https://lh3.googleusercontent.com/beqWti8ge3MTAIxLXiUo-CbXH8ZtD4kAAR5nhUl-CIdvu3bxA6WTAEj5B3Zm24zwW5T6d1Ap5YTC0oskZ9fm7kJAamBcFItTjAGdBHoL4orvuSg1GwzS_otasKv__9DnP47FkZ9UFbI=w898-h377-no"><img src="https://lh3.googleusercontent.com/beqWti8ge3MTAIxLXiUo-CbXH8ZtD4kAAR5nhUl-CIdvu3bxA6WTAEj5B3Zm24zwW5T6d1Ap5YTC0oskZ9fm7kJAamBcFItTjAGdBHoL4orvuSg1GwzS_otasKv__9DnP47FkZ9UFbI=w500-h377-no"></a>

<p>You should see that your reversed function names should be appeared in the result, along with the commented part on the radare2 shell console too. You can change the variable namings too if you want but first let's simplify this result, the next paragraph will explain a further reason for that.

<p><b>Ghidra </b>decompiler by default will show values as variables for those that are pushed into the <i>stacks </i>by <i>registers</i>. You should trace them well, because these bytes pushed are important values as per marked in the printed disassembly pictures above, yes, they are arguements for the called functions, and having important meanings. After understanding those, at this point you can try to simplify and reform the ghidra decompiling result into a simpler C  codes. Minor syntax mistakes are okay..I do that a lot too, try to make it as simple as you can without losing those arguments.

<p><b>r2dec </b>de-compiles the ARM opcodes very well too, the <b>pdda </b>command's result includes the new function names and comments intact to the pseudo C generated, that can be traced to its offset. r2dec in ARM decompiling is reserving the register names as variables, referring to its assembly operation due to script parsing algorithm logic is currently designed that way.This is useful for you to elaborate which register that is actually used as argument for what function, a bit lower level than r2ghidra, yet this will help you to learn how the ARM assembly is actually working. However in some shell terminals (like I am, using VT100 basis) maybe you can not see good syntax highlight coloring, but you can copy them into any syntax highlight supported editor, to find it easier to read, as per following screenshot:

<a href="https://lh3.googleusercontent.com/Un832iF5j5KpD2lFQShvC9mjdl5F0qPccqd40Z52sH3DxAB4Civa50HwKZBzeGkunJ2dk-vVH_Fs6eLXEAkiPxY_sE4RJfndUDOw9K6a60zTpK4568klfJhEXG3wsCKFczovXP01LxU=w1041-h940-no"><p><img src="https://lh3.googleusercontent.com/Un832iF5j5KpD2lFQShvC9mjdl5F0qPccqd40Z52sH3DxAB4Civa50HwKZBzeGkunJ2dk-vVH_Fs6eLXEAkiPxY_sE4RJfndUDOw9K6a60zTpK4568klfJhEXG3wsCKFczovXP01LxU=w580-h940-no"></a>

<p>Another decompiler in radare2 that works fine for the case after you renamed the functions, and can give you some hints in more simplify, in lower level syntax that is still highly influenced by the assembly code, it is called as "<b>pdc</b>".

<p>I refer to <b>pdc </b> when dealing with a complex binaries with many loops or branched-flow of logic, to guide me tracing a flow faster than reading only the assembly code, <b>pdc</b> is a very useful for that purpose since <b>pdc</b> can recognize and handle cascade loops very well, I am using it a lot in reading a decoder or de-obfuscation assisting the simple emulation operation (ESIL), or in the systems where r2ghidra or r2dec have not enough space to be built. But today we are not going to discuss this de-compiler further to avoid confusion. 

<p>Just for the reference, the <b>pdc</b>'s de-compiling result is shown as per below, <i>as a comparative purpose</i>:

<p>
<a href="https://lh3.googleusercontent.com/0Oy0OoZd3ia64bqdQai9-kKgQDNA-ebhWz5aJgvYKPfknWaYcWt0UnKJouH47y6-COBbgQaFRqKDMeA4cv9wjeHWJE59XKCOlJxyqerHB6O0r3fB4D7K1q9Gc9Ju4Lf2LxQDPon9jNM=w1122-h702-no"><img src="https://lh3.googleusercontent.com/0Oy0OoZd3ia64bqdQai9-kKgQDNA-ebhWz5aJgvYKPfknWaYcWt0UnKJouH47y6-COBbgQaFRqKDMeA4cv9wjeHWJE59XKCOlJxyqerHB6O0r3fB4D7K1q9Gc9Ju4Lf2LxQDPon9jNM=w580-h702-no"></a>

<p>In my work desktop I reformed the simplification result of radare2's auto-pseudo-generated codes of this binary, into this following C codes, after re-shaping it to the close-to-original one, Consider this as an example and not on the very final C form yet, but more or less all of the argument values and logic work flow are all in there. Try to do it yourself before seeing this last code, use what r2dec and r2ghidra gave you as reference.

<p><a href="https://lh3.googleusercontent.com/Mn0v9tfpH1BY2MQ0KBdVJrpHfun9Wzi4gKL_zxVRhb6LoI9EQ8O8Kgd9x_EGoQjOuYTAVBGmr_1niHNU-o-IqDlbtKcxo9o4fOkFe8_IW5mkr50SkPJ-LEYDMHtJWwVdekXcnyWrChI=w1192-h953-no"><img src="https://lh3.googleusercontent.com/Mn0v9tfpH1BY2MQ0KBdVJrpHfun9Wzi4gKL_zxVRhb6LoI9EQ8O8Kgd9x_EGoQjOuYTAVBGmr_1niHNU-o-IqDlbtKcxo9o4fOkFe8_IW5mkr50SkPJ-LEYDMHtJWwVdekXcnyWrChI=w580-h953-no"></a>

<p>So now you know about the extraction  URL payload for "echo" loader <i>hexstring</i>. Don't worry If there is other slight change in way that ELF loader preserving download IP or URL data. You can always dissect it again easily by the same method, and in practical it is not necessary to reverse the whole loader binary but just aim the download IP and its URL (and or port number), depends on your flavor. 

<p>Below is the video tutorial for faster process and practical way to adjust the changes on download IP/URL. This concept can be appied for FBot variants with a <i>pushed-hexstring </i>loaders especially the ones that are using Mirai basis loader design. Noted that: this extraction concept is also worked to <b>Hajime</b>, <b>LuaBot</b>, and other Mirai variants with a minor adjustments. For honeypot users, you can use this method to automate the payload URL extraction for each <i>hexstring </i>entries without even downloading the payload.

<p> <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/6VpMpRcenwY?controls=1" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<i><br>(pause the video by pressing space or click the video screen)</i>

<b><p><i>The conclusion of this chapter:</i></b>

<p>Unlike the "<b>telnet</b>" one, the difference on how this "<b>echo</b>" type of pushed hextring works, can be described as follows, tagged with "minor" and "major" differences:
<ol>
<li>(Major?) It <b>does not confirming the architecture</b>, frankly, that doesn't matter anyway.
<li>(Major) It <b>doesn't save</b> the read downloaded data into file, like <b>".t" file</b> that open() in "telnet" version, so this "echo" version is just printout the download result to stdout, this explaining the piping handling, hard coded in the FBOT spreader function is a must to save the payload into affected devices. This reduce big I/O operational steps.
<li>(Minor) It doesn't bother to close the connection after the writing is done, and just exit the program.
<li>(Minor) It isn't using IP reforming step, just using a hardcoded hexadecimal form of IP address.
</ol>

<p>This explains how the "<b>echo</b>" type is smaller in size compares to the "<b>telnet</b>" type. And in addition, the both of "<b>telnet</b>" (previously explained) and "<b>echo</b>" (now explained) pushed ELF loaders are all "inspired" from Mirai's <b>Okiru </b>and <b>Satori </b>ELF loaders.

<p>I hope you like this additional part too, thank you for contacting and asking questions, happy RE practise!
<i>
<p>For the folks who have to get recovered or isolated due to corona virus pandemic, this chapter I dedicated to them. Please try to spend your time at home in brushing your reverse engineering skill on Linux binaries with practising this example or <a href="https://pastebin.com/raw/ESeYP7bK">sample</a></i>. 

<p>You can download the <b>Tsurugi </b>DFIR Linux distro's ISO from the official side [<a href="https://tsurugi-linux.org/">link</a>], or use the SECCON special edition I use [<a href="https://blog.0day.jp/p/20191218.html">link</a>], Tsurugi can be used in Live mode in several virtual machines (wmware, vbox, kvm) or USB bootable, or you can install it into your unused old PC. With a build effort, you can also install <b>radare2 </b>[<a href="https://github.com/radareorg/radare2">link</a>] with <b>r2ghidra </b>[<a href="https://github.com/radareorg/r2ghidra-dec">link</a>] and <b>r2dec </b>[<a href="https://github.com/radareorg/r2dec-js">link</a>] from the github sites. These are all open source tools, it is free and good folks are working hard in maintaining & improving them, please support them if you think they're useful! 
<p>


<a name=newactor>
<br>
<p><h2>New actor, old version [Update for April 24, 2020]</h2></a>

<p>We have spotted the new spark of what looks like the FBOT activity, started from April 24th, 2020. as per recorded in the following log screenshot below, this seems like the Mirai FBOT is downgraded to earlier era's version, which I found it strange so I just need to look it further:

<p>
<a href="https://lh3.googleusercontent.com/dnvGmKx_eI5F6OuYAWgmjRXOdyHT6K_Fn-z3atREa8GCKxxVbDivUlwWEZ8dCZwU0bql6NAhdum2GGEU1uJAga0RpMsla8YtASmABRrgJrtAm4eT9GMhzD0I--_-c7joxh6tfeLmIlE=w1580-h766-no"><img src="https://lh3.googleusercontent.com/dnvGmKx_eI5F6OuYAWgmjRXOdyHT6K_Fn-z3atREa8GCKxxVbDivUlwWEZ8dCZwU0bql6NAhdum2GGEU1uJAga0RpMsla8YtASmABRrgJrtAm4eT9GMhzD0I--_-c7joxh6tfeLmIlE=w580-h766-no"></a>

<p>To make sure the payload is actually served, some testing and record to check them has been also conducted as per recorded too in the screenshot below:

<p>
<a href="https://lh3.googleusercontent.com/H_LSiKneZYPJo8fdtBlS4J9aVU85lBNNin_hqwAoGTBlumcFaZuvSJZJqePW48bBTfjqjlJBu_p18aNq971nF04mECi3Jz0w8ZHVJ0RmHBljoAlcpvysToUFZZzEQJVsxtdtqA09b5w=w950-h553-no"><img src="https://lh3.googleusercontent.com/H_LSiKneZYPJo8fdtBlS4J9aVU85lBNNin_hqwAoGTBlumcFaZuvSJZJqePW48bBTfjqjlJBu_p18aNq971nF04mECi3Jz0w8ZHVJ0RmHBljoAlcpvysToUFZZzEQJVsxtdtqA09b5w=w580-h553-no"></a>

<p>The bot binaries are all packed, but with the older ways, at this point it raises more suspicion:

<p>
<a href="https://lh3.googleusercontent.com/YUyKhq5Wja_3VF0XP5xIT6AQEZ4_58h4Q2ciI0YSn5hXmtQJ1aXljpj7eN91Sh8Eq_HFu9H-BJEWNaYP_acgJ3BueQihHZq9jvZNRA9KDLlucWLybSQajHatfnqWiJB1ZJiJZbxMl5g=w580-h829-no"><img src="https://lh3.googleusercontent.com/YUyKhq5Wja_3VF0XP5xIT6AQEZ4_58h4Q2ciI0YSn5hXmtQJ1aXljpj7eN91Sh8Eq_HFu9H-BJEWNaYP_acgJ3BueQihHZq9jvZNRA9KDLlucWLybSQajHatfnqWiJB1ZJiJZbxMl5g=w580-h829-no"></a>

<p>After the unpacking I found that the "CTF like" encryption that I was blogged in this post and previous post wasn't there, took me like 5 minutes to decrypt this one, but I bet by now you all can do the unpacking and decrypting this way much faster yes? After all of the exercises you took in previous chapter above.  :D

<p>
<a href="https://lh3.googleusercontent.com/KIjLWVjIACo9UTVCOadHH9XmUuk4IsWSh15T4gl35bZLGKsQdtnIft7wffPy3DtStLViKLllFyohLbxYxfoDNpf1eRG0O61S_Eex0tW8UVCGz2wcTlDEpYCn_MaiyJi-vTGPc0ivpM8=w1730-h853-no"><img src="https://lh3.googleusercontent.com/KIjLWVjIACo9UTVCOadHH9XmUuk4IsWSh15T4gl35bZLGKsQdtnIft7wffPy3DtStLViKLllFyohLbxYxfoDNpf1eRG0O61S_Eex0tW8UVCGz2wcTlDEpYCn_MaiyJi-vTGPc0ivpM8=w580-h853-no"></a>

<p>Back to this version's the scanner's atacker source IP as per shown in the picture above, I sorted all of the infection effort the per this list ==>[<a href="https://gist.github.com/unixfreaxjp/64dd1beb347990c972daf89b015910e6">link</a>], and sort the source IP as per this list ==>[<a href="https://gist.github.com/unixfreaxjp/a204645266c5283fe1e32c0398c0b1f5">link</a>]. to then compared to what has been recorded so far as Mirai FBOT's scanner IP (read: IoT infected with Mirai FBOT) written in several links in previous chapters. 

<p>The result is <b>none of them is matched</b>. It seems that there is another botnet is propagating infection using  either the copycat version or museum version of the FBOT with the very low quality on its core's code and just being added with some new scanning interface. 

<p>To be more clear in the comparison betwen nea actor's FBOT and previous botnet's one. Below is the botnet geographical map of the new actor's botnet, that's is showing an infection focus on Hongkong and China, that's is different to the similar map made by infection of previous FBOT which was focusing on Taiwan, Vietnam, then to Hongkong, the link is here==[<a href="#olderfbotmap">link</a>]
<p>
<a href=https://lh3.googleusercontent.com/pUgtY6wK8u0oH0W5gIYT12cj4W5eueHKFiRUF8EATtOm8-kU_-Wc0qmqpelnQA_Kr-t9yejPrEY16PP1YENRbUy64GJMhWvoxt_YyKr-Hhz8rGkiHFSKn6DYWiQx_Su-epuLskjWUHk=w1025-h634-no><img src="https://lh3.googleusercontent.com/pUgtY6wK8u0oH0W5gIYT12cj4W5eueHKFiRUF8EATtOm8-kU_-Wc0qmqpelnQA_Kr-t9yejPrEY16PP1YENRbUy64GJMhWvoxt_YyKr-Hhz8rGkiHFSKn6DYWiQx_Su-epuLskjWUHk=w580-h634-no"></a>


<p>Additionally, on April 25, 2020, this new actor was started to launch the pushed hexstrings to infect new IoT via echo command, that the video ccan be seen in here==>[<a href="#fbot3hexstring">link</a>]. In that case, the used IP address can be grep easily in the hexstring itself, it's written like this: <b>\xa0\xe3\x12\x30\xa0\xe3\xce\x10\xa0\xe3\xe3\x20</b> and these hexs means the last three digits IP address used to download the FBOT payload. You can adjust this string into a grep command to your honeypot or IoT log, by adding escape sequence backslash before the <b>"\x"</b> . The latest new actor infection log I shared in the GIST link above contains the nodes that infects with this hexstrings from the same C2.

<p>Let's go back to the binaries used of this FBOT version, if you can unpack it very well, you will see the below details that can support the theory.

<p>Some scanner strings used in this new actor's Mirai FBFOT version:

<p>
<a href="https://lh3.googleusercontent.com/nLAj2QtIusLhyvaSPvwEZaaC2fb8y3KuWWVd3MQ1OqMiknaG3oY2XdRQ_6fvmhX2U0DILF-B25UasT-iavU6OnpiDvYsOEYtfpmerRWjMckmqOwm84YmDwFQKHD3klTSi_-zifmUrHc=w1606-h921-no"><img src="https://lh3.googleusercontent.com/nLAj2QtIusLhyvaSPvwEZaaC2fb8y3KuWWVd3MQ1OqMiknaG3oY2XdRQ_6fvmhX2U0DILF-B25UasT-iavU6OnpiDvYsOEYtfpmerRWjMckmqOwm84YmDwFQKHD3klTSi_-zifmUrHc=w580-h921-no"></a>

<p>These are the payload binaries name:
<p>
<a href="https://lh3.googleusercontent.com/dL79NoG7vdoQqt0SD1qHwpBYGGbCHrZvFzyvHTO4CDdraFa_yTQeab5d-lk5lho1vTxFVD9qNACwq2cBUPevTqTBCCwb8WeGtoOG19QLRHU3rImIpGlL3j7JVGoitosX984Q5Ut_wjs=w1400-h243-no"><img src="https://lh3.googleusercontent.com/dL79NoG7vdoQqt0SD1qHwpBYGGbCHrZvFzyvHTO4CDdraFa_yTQeab5d-lk5lho1vTxFVD9qNACwq2cBUPevTqTBCCwb8WeGtoOG19QLRHU3rImIpGlL3j7JVGoitosX984Q5Ut_wjs=w400-h243-no"></a>

<p>And this is the hardcoded <b>Stupidly Simple DDoS Protocol(SSDP) headers </b>used for amplification flood reflection attack:
<p>
<a href="https://lh3.googleusercontent.com/1x9Ck_IVvHwSEz531Y9dc--hCYCE-eU2qT7ODtpWBYTc6jDMxJqqlVSnhVDFnTMQ9-LkOu7owcw6aikticZtdehR8uLrBV7E_J3Yag8ROiPyNwh32Y3LWYvEQfCeQ66hO6OiHduOzrA=w940-h188-no"><img src="https://lh3.googleusercontent.com/1x9Ck_IVvHwSEz531Y9dc--hCYCE-eU2qT7ODtpWBYTc6jDMxJqqlVSnhVDFnTMQ9-LkOu7owcw6aikticZtdehR8uLrBV7E_J3Yag8ROiPyNwh32Y3LWYvEQfCeQ66hO6OiHduOzrA=w400-h188-no"></a>

<p>Again, about SSDP flood in simple words: It's a flood composed by UDP packets using source port 1900. This port is used by the SSDP and is legitimately specified for UPnP protocols. In UPnP there's "M-SEARCH frame" as main method for device discovery using multicasting on 239.255.255.250:1900 (reserved for this purpose). The adversaries are taking advantage from three weaknesses of UPnP protocol in (1) utilizing it for amplification attack, or (2) reflection attack and while doing those it obviously can (3) spoof the source IP address. The above picture is showing that Mirai FBOT is having this flood functionality.

<p>What has been concluded in this additional (update) chapter is, there is more than one actor is using Mirai FBOT, the one with the "CTF like" crypt function that looks like stopping its activity and abandon the botnet under the scale volume of 1,600 to 1,700 nodes, and there is a new one, using the older yet standard version, suspecting could be a older version leaked/shared/re-used and now actively operated by another actor(s).

<p>The IOC for this update chapter (new actor one):
<p>
<pre class="brush: cpp">
C2: 5[.]206[.]227[.]18 (same FBOT port number for nodes & C2)
spf FQDN: darksdemon[.]gov
Payloads: 5.206.227.18/bot/bot.{ARCH}
Temporary filename: bot.{ARCH}.tmp
Payloads:
bot.arm4,5: dfa6b60d0999eb13e6e5613723250e62
bot.arm7:   924d74ee8bfca43b9a74046d9c15de92
bot.mips:   4b323cd2d5e68e7757b8b35e7505e8d9
bot.x86:    591ca99f1c262cd86390db960705ca4a
bot.x86_64: 697043785e484ef097bafa2a1e234aa0
Others payloads are not included: *.mipsel, *.superh 
</pre>

<p>Updates on new actor's Mirai/FBOT:
<p>
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Within ONE month new-actor of <a href="https://twitter.com/hashtag/Linux?src=hash&amp;ref_src=twsrc%5Etfw">#Linux</a>/<a href="https://twitter.com/hashtag/Mirai?src=hash&amp;ref_src=twsrc%5Etfw">#Mirai</a> <a href="https://twitter.com/hashtag/FBOT?src=hash&amp;ref_src=twsrc%5Etfw">#FBOT</a> has raised his <a href="https://twitter.com/hashtag/botnet?src=hash&amp;ref_src=twsrc%5Etfw">#botnet</a> from 299 nodes<br>(ref:<a href="https://t.co/vOjQ5nwDrY">https://t.co/vOjQ5nwDrY</a>)<br><br>to 653(&#8593;+354) nodes<br>(ref:<a href="https://t.co/u05uTVtFhf">https://t.co/u05uTVtFhf</a>).<br><br>1. CN 165<br>2. TW 138<br>3. HK 125<br>*) SE 31, RU 26, US 20<br><br>IP is on <a href="https://twitter.com/MISPProject?ref_src=twsrc%5Etfw">@MISPProject</a> for CERT process<a href="https://twitter.com/hashtag/MalwareMustDie?src=hash&amp;ref_src=twsrc%5Etfw">#MalwareMustDie</a> <a href="https://t.co/mfErSSy0c1">pic.twitter.com/mfErSSy0c1</a></p>&mdash; &#9769;MalwareMustDie (@malwaremustd1e) <a href="https://twitter.com/malwaremustd1e/status/1265736192965791744?ref_src=twsrc%5Etfw">May 27, 2020</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

<a name=epilogue><br></a>
<p>
<h2>The epilogue</h2>

<p>We hope this post can raise attention needed to handle the worrisome of this new FBOT propagation wave in the internet. Also we wrote this post to help beginner threat analysts, binary reversers, and incident response team, with hoping to learn together about Linux malware in general and specifically on IoT botnet. 

<p>There is some more insight information about this threat that maybe can help you to understand the threat better, including a how to mitigate this, it is in this article ==>[<a href="https://securityaffairs.co/wordpress/98479/malware/fbot-re-emerged.html?fbclid=IwAR1RwEZZfHvnLr7aiveVRyljUN3Pxpp06XkYtpxwQY2nJkMoN2jAjUgYs_I">link</a>] (thank you for the interview!). 

Also if you successfully analyze and monitor similar threat, please don't forget to inform your CERT/CC so they can help to coordinate the handling further to the CSIRT on every related carriers and services, and also those escalation records can be useful to be used during notification to the authority, for applying a better policy for IoT structure in your region.

<p>We are in the era where Linux or IoT malware is getting into their better form with advantages, it is important to work together with threat intelligence and knowledge sharing, to stop every new emerging activity before they become a big problem for all of us later on.

<p>On behalf of the rest of our team, we thank all of the people who support our work, morally and with their friendship. MMD understands that security information and knowledge sharing is also very important to maintain the stability of internet to make our life easier. Thank you to all tools/framework's vendors and services who are so many of them and who are so kind to support our research and sharing works with their environments, also, to the media folks who are helping us all of these yeas. I and the team will look forward to support more "securee-tays" for 2020 and for more years to come. 

<p>I will try to update regularly the information posted in this article, please bear with recent additional information and maybe changes, so stay tuned always.

<p><i>This technical analysis and its contents is an original work and firstly published in the current MalwareMustDie Blog post (this site), the analysis and writing is made by <b>@unixfreaxjp</b>. 

<p>The research contents is bound to our legal <a href="https://blog.malwaremustdie.org/p/the-rule-to-share-malicious-codes-we.html">disclaimer guide line</a> in sharing of MalwareMustDie NPO research material</i>.<p>
<img src="https://lh3.googleusercontent.com/dsk-63KxE8vQ-QD1caFyx6MrmGL2Xdiwo7DZjphwXBMrKTeYz6Zbb4NyoeFtSJdfrvlOSsnScpEP2V75H5r8AViyUGee-WOuoLnx0k9uH_A80bxzezs0AqiPZI0XaGh6Dvxg7iiVDrI=w400-h566-no">

<p>Malware Must Die!
<div style='clear: both;'></div>
</div>
<div class='post-footer'>
<div class='post-footer-line post-footer-line-1'><span class='post-author vcard'>
Posted by
<span class='fn'>unixfreaxjp</span>
</span>
<span class='post-timestamp'>
at
<a class='timestamp-link' href='https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html' itemprop='url' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2020-02-24T05:26:00+09:00'>Monday, February 24, 2020</abbr></a>
</span>
<span class='post-comment-link'>
</span>
<span class='post-icons'>
<span class='item-control blog-admin pid-1814417508'>
<a href='https://www.blogger.com/post-edit.g?blogID=8268358095554400245&postID=8926320833546683754&from=pencil' title='Edit Post'>
<img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/>
</a>
</span>
</span>
<div class='post-share-buttons goog-inline-block'>
<a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8926320833546683754&target=email' target='_blank' title='Email This'><span class='share-button-link-text'>Email This</span></a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8926320833546683754&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'><span class='share-button-link-text'>BlogThis!</span></a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8926320833546683754&target=twitter' target='_blank' title='Share to Twitter'><span class='share-button-link-text'>Share to Twitter</span></a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8926320833546683754&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'><span class='share-button-link-text'>Share to Facebook</span></a><a class='goog-inline-block share-button sb-pinterest' href='https://www.blogger.com/share-post.g?blogID=8268358095554400245&postID=8926320833546683754&target=pinterest' target='_blank' title='Share to Pinterest'><span class='share-button-link-text'>Share to Pinterest</span></a>
</div>
</div>
<div class='post-footer-line post-footer-line-2'><span class='post-labels'>
</span>
</div>
<div class='post-footer-line post-footer-line-3'><span class='post-location'>
</span>
</div>
</div>
</div>
<div class='comments' id='comments'>
<a name='comments'></a>
</div>
</div>

        </div></div>
      
</div>
<div class='blog-pager' id='blog-pager'>
<span id='blog-pager-newer-link'>
<a class='blog-pager-newer-link' href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html' id='Blog1_blog-pager-newer-link' title='Newer Post'>Newer Post</a>
</span>
<span id='blog-pager-older-link'>
<a class='blog-pager-older-link' href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html' id='Blog1_blog-pager-older-link' title='Older Post'>Older Post</a>
</span>
<a class='home-link' href='https://blog.malwaremustdie.org/'>Home</a>
</div>
<div class='clear'></div>
<div class='post-feeds'>
</div>
</div></div>
</div>
</div>
<div class='column-left-outer'>
<div class='column-left-inner'>
<aside>
</aside>
</div>
</div>
<div class='column-right-outer'>
<div class='column-right-inner'>
<aside>
<div class='sidebar section' id='sidebar-right-1'><div class='widget HTML' data-version='1' id='HTML1'>
<h2 class='title'>About #MalwareMustDie!</h2>
<div class='widget-content'>
Launched in August 2012, MalwareMustDie(or MMD), is a registered <span style="font-weight:bold;">Non-profit Whitehat Organization</span>, as a Blue-Teaming media  to form work-flow activities to reduce malware in the internet <a href="https://en.wikipedia.org/wiki/MalwareMustDie">..[Read More]</a>
</div>
<div class='clear'></div>
</div><div class='widget BlogSearch' data-version='1' id='BlogSearch1'>
<h2 class='title'>Search keyword</h2>
<div class='widget-content'>
<div id='BlogSearch1_form'>
<form action='https://blog.malwaremustdie.org/search' class='gsc-search-box' target='_top'>
<table cellpadding='0' cellspacing='0' class='gsc-search-box'>
<tbody>
<tr>
<td class='gsc-input'>
<input autocomplete='off' class='gsc-input' name='q' size='10' title='search' type='text' value=''/>
</td>
<td class='gsc-search-button'>
<input class='gsc-search-button' title='search' type='submit' value='Search'/>
</td>
</tr>
</tbody>
</table>
</form>
</div>
</div>
<div class='clear'></div>
</div><div class='widget LinkList' data-version='1' id='LinkList1'>
<h2>Links</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/feeds/posts/default?alt=rss'>RSS Feed</a></li>
<li><a href='https://www.malwaremustdie.org/'>Home Page</a></li>
<li><a href='https://blog.malwaremustdie.org/p/send-sample.html'>Send Sample</a></li>
<li><a href='https://www.google.com/search?q=malwaremustdie&tbm=nws&start=0'>News Search</a></li>
<li><a href='https://www.google.com/search?q=malwaremustdie&newwindow=1&client=firefox-b&biw=928&bih=462&source=lnt&tbs=cdr%3A1%2Ccd_min%3A7%2F1%2F2012%2Ccd_max%3A6%2F10%2F2016&tbm=#q=malwaremustdie&newwindow=1&tbs=cdr:1,cd_min:7/1/2012,cd_max:6/10/2016,sbd:1&start=10'>Web Search</a></li>
<li><a href='https://blog.malwaremustdie.org/p/linux-malware-research-list-updated.html'>Linux Malware</a></li>
<li><a href='https://unixfreaxjp.github.io/malwaremustdie/'>Github Repository</a></li>
<li><a href='https://www.youtube.com/playlist?list=PLSe6fLFf1YDX-2sog70220BchQmhVqQ75'>Video News, Demo, Reports</a></li>
<li><a href='https://malwared.malwaremustdie.org/'>"Malwared" Blacklist/Tracker</a></li>
<li><a href='https://blog.malwaremustdie.org/p/the-mmds-tango-down-project-archive.html'>"Tango down!" project (Archive)</a></li>
<li><a href='https://blog.malwaremustdie.org/p/the-rule-to-share-malicious-codes-we.html'>Disclaimer & Sharing Guide</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget FeaturedPost' data-version='1' id='FeaturedPost1'>
<h2 class='title'>Recommended reading</h2>
<div class='post-summary'>
<h3><a href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html'>MMD-0065-2020 - Linux/Mirai-Fbot&#39;s new encryption explained</a></h3>
<p>
 Prologue   [For the most recent information of this threat please follow this ==&gt; link ]   I setup a local brand new ARM base router I b...
</p>
<img class='image' src='https://lh3.googleusercontent.com/58YEFVF-KZsSkmn8kvB8Tgth6VmcLHujsJCXpyic5GrXNHLR9TYqkJpymvzGv2tpMNlN6vdIojrhzoRkYwRg5PLuj7Yj03fdPac-CJUEVSyFeBd1TX52UpHabUOkuaRiBjgiqTrqiW8=w300-h1864-no'/>
</div>
<style type='text/css'>
    .image {
      width: 100%;
    }
  </style>
<div class='clear'></div>
</div><div class='widget LinkList' data-version='1' id='LinkList2'>
<h2>Malware Analysis / Threat Reports (Indexed)</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html'>MMD-0067-2021 - Recent talks on Linux process injection and shellcode analysis series (ROOTCON-2020, R2CON-2020 ++)</a></li>
<li><a href='https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html'>MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat </a></li>
<li><a href='https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html'>MMD-0065-2020 - Linux/Mirai-Fbot's new encryption explained</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html'>MMD-0064-2019 - Linux/AirDropBot</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/09/mmd-0063-2019-summarize-report-of-three.html'>MMD-0063-2019 - Summary of three years research (Sept 2016-Sept 2019)</a></li>
<li><a href='https://blog.malwaremustdie.org/2017/03/mmd-0062-2017-credential-harvesting-by.html'>MMD-0062-2017 - IoT/Studels SSH-TCP Forward Threat</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/12/mmd-0061-2016-energymech-28-overkill-mod.html'>MMD-0061-2016 - EnergyMech 2.8 overkill mod</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html'>MMD-0060-2016 - Linux/UDPfker and ChinaZ threat today</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html'>MMD-0059-2016 - Linux/IRCTelnet (new Aidra)</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/10/mmd-0058-2016-elf-linuxnyadrop.html'>MMD-0058-2016 - Linux/NyaDrop - MIPS IoT bad news</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html'>MMD-0057-2016 - Linux/LuaBot - IoT botnet as service</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html'>MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html'>MMD-0055-2016 - Linux/PnScan ; A worm that still circles around</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/06/mmd-0054-2016-atmos-botnet-and-facts.html'>MMD-0054-2016 - ATMOS botnet facts you should know</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/04/mmd-0053-2016-bit-about-elfstd-irc-bot.html'>MMD-0053-2016 - Linux/STD IRC Botnet: x00's CBack aka xxx.pokemon.inc</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html'>MMD-0052-2016 - Overview of Overall "SkidDDoS" Linux Botnet</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.html'>MMD-0051-2016 - Debunking a Tiny Shellhock's ELF backdoor</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html'>MMD-0050-2016 - Linux/Torte infection (in Wordpress)</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html'>MMD-0049-2016 - Java Trojan Downloader/RCE) for minerd</a></li>
<li><a href='https://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html'>MMD-0048-2016 - DDOS.TF = ELF & Win32 DDoS service with ASP + PHP/MySQL MOF webshells</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0047-2015-sshv-ssh-bruter-elf.html'>MMD-0047-2015 - SSHV: SSH bruter Linux botnet w/hidden process rootkit</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html'>MMD-0046-2015 - Kelihos 10 nodes C2 / CNC on NJIIX (US) and its actor(Severa)</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html'>MMD-0045-2015 - Linux/KDefend: a new China origin Linux threat w/disclaimer</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html'>MMD-0044-2015 - Code disclosure of SkiDDoS threat</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0042-2015-polymorphic-in-elf.html'>MMD-0043-2015 - Linux/Xor.DDOS Polymorphic feature</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0042-2015-hunting-mr-black-ids-via.html'>MMD-0042-2015 - Geting to Linux/Mr.Black actor via Zegost </a></li>
<li><a href='https://blog.malwaremustdie.org/2015/09/mmd-0041-2015-reversing-pe-mail-grabber.html'>MMD-0041-2015 - PE Mail-grabber Spambot & its C99 WebShell</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-learning-about-vbe.html'>MMD-0040-2015 - VBE Obfuscation & AutoIt Banco Trojan</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html'>MMD-0039-2015 - ChinaZ  Linux/BillGates.Lite Edition</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/08/mmd-0037-2015-chinaz-and-ddos123xyz.html'>MMD-0038-2015 - ChinaZ's Ddos123.xyz</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/07/mmd-0037-2015-bad-shellshock.html'>MMD-0037-2015 - Shellshock & Linux/XOR.DDoS C2</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/07/mmd-0036-2015-kins-or-zeusvm-v2000.html'>MMD-0036-2015 - KINS (ZeusVM)v2.0.0. builder & panel leaks</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0035-2015-iptablex-or-iptables-on.html'>MMD-0035-2015 - Linux/.IptabLex or .IptabLes on Shellshock(by: ChinaZ)</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html'>MMD-0034-2015 - Linux/DES.Downloader on Elasticsearch</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/mmd-0033-2015-linuxxorddos-infection_23.html'>MMD-0033-2015 - Linux/XorDDoS case CNC:HOSTASA.ORG</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html'>MMD-0032-2015 - The ELF ChinaZ "reloaded"</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/04/mmd-0031-2015-what-is-netwire-rat.html'>MMD-0031-2015 - What is NetWire (multi platform) RAT</a></li>
<li><a href='https://blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html'>MMD-0030-2015 - New malware on Shellshock: Linux/ChinaZ</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/10/mmd-0029-2015-warning-of-mayhem.html'>MMD-0029-2014 - Warning of Linux/Mayhem attack in Shellshock</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html'>MMD-0028-2014 - Linux/XOR.DDoS</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/linux-elf-bash-0day-fun-has-only-just.html'>MMD-0027-2014 - Linux/Bashdoor(GafGyt) & Small ELF Backdoor at shellshock</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/09/reversing-arm-architecture-elf-elknot.html'>MMD-0026-2014 - Linux/AES.DDoS: Router Malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html'>MMD-0025-2014 - Linux/.IptabLex or .IptabLes - China/PRC origin DDoS bot</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/recent-incident-report-of-linux-elf.html'>MMD-0024-2014 - Incident Report of Linux/Mayhem (LD_PRELOAD libworker.so)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/a-payback-to-ssh-bruting-crooks.html'>MMD-0023-2014 - Linux/pscan & Linux/sshscan: SSH bruter malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html'>MMD-0022-2014 - Zendran, multi-arch Linux/Llightaidra - Part 1: background, installation, reversing & C2 access</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html'>MMD-0021-2014 - Linux/Elknot: China's origin ELF DDoS+backdoor</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html'>MMD-0020-2014 - Analysis of Linux/Mayhem infection: A shared libs ELF</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/04/when-hacker-gets-hacked-disclosure.html'>MMD-0019-2014 - "Xakep.biz" evil tools</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html'>MMD-0018-2014 - Analysis note: "Upatre" is back to SSL? </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html'>MMD-0017-2014 - A post to sting Zeus P2P/Gameover</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/cyber-intelligence-jackpos-behind-screen.html'>MMD-0016-2014 - The JackPOS Behind the Screen</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/one-upn-time-with-american-express.html'>MMD-0015-2014 - One upon the time with Phishing Session..</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/threat-intelligence-new-locker-prison.html'>MMD-0014-2014 - New Locker: Prison Locker (aka: Power Locker)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/shadow-logger-new-fud-keylogger-on-mmd.html'>MMD-0013-2014 - "Shadow Logger" - .NET's FUD Keylogger</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/arp-spoofing-malware-infection-project.html'>MMD-0012-2013 - ARP Spoofing Malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/lets-be-more-serious-about-dns-amp-elf.html'>MMD-0011-2013 - Linux/Elknot - Let's be more serious about (mitigating) DNS Amp</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/11/more-wordpress-hack-case-sites.html'>MMD-0010-2013 - Wordpress Hack Case: Site's Credential Stealer</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/11/runforrestrun-dga-is-alive-at.html'>MMD-0009-2013 - JS/RunForrestRun DGA "Comeback" with new obfuscation</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/10/a-disclosure-of-whats-behind-w00tw00t.html'>MMD-0008-2013 - What's Behind the #w00tw00t (PHP) Attack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/10/kins-source-code-for-view-download.html'>MMD-0007-2013 - KINS? No! PowerZeuS, yes! </a></li>
<li><a href='https://blog.malwaremustdie.org/2013/09/302-redirector-new-cushion-attempt-to.html'>MMD-0006-2013 - Rogue 302-Redirector "Cushion Attack"</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/09/how-greedy-cyber-scums-are-leaked-plan.html'>MMD-0005-2013 - A Leaked Malvertisement, Cutwail+BHEK & Triple Payloads of "Syria Campaign"</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/08/you-hacked-we-cracked-youre-doomed-ir.html'>MMD-0004-2013 - "You hacked.. we cracked" - "WP Super Cache" & Glazunov EK</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/the-come-back-of-ru-runforrestruns-dga.html'>MMD-0003-2013 - First "comeback" of the .RU RunForrestRun's DGA</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/how-bad-cutwail-and-other-spambot-can.html'>MMD-0002-2013 - How Cutwail and other SpamBot can fool (spoof) us?</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/proof-of-concept-of-cookiebomb-attack.html'>MMD-0001-2013 - Proof of Concept of "CookieBomb" code injection attack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/06/advisory-on-pleskapache-remote-code.html'>MMD-0000-2013 - Malware Infection Alert on Plesk/Apache Remote Code Execution zeroday</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget LinkList' data-version='1' id='LinkList3'>
<h2>Presentation and Special Threat Reports</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html#rootcon2020'>ROOTCON 2020 - Deeper diving into shellcode (advanced users)</a></li>
<li><a href='https://blog.malwaremustdie.org/2021/03/mmd-067-2021-recent-talks-on-linux.html#r2con2020'>R2CON 2020 - So you don't like shellcode too? (for r2 RE beginners)</a></li>
<li><a href='https://blog.malwaremustdie.org/2019/10/more-about-my-2019hacklu-keynote-talk.html'>HACK.LU 2019 Keynote talk: "Fileless Malware Infection and Linux Process Injection"</a></li>
<li><a href='https://blog.malwaremustdie.org/p/new-video-of-this-talk-has-just-been.html'>R2CON 2018 talk of: "Unpacking the non-unpackable ELF malware"</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/long-talk-av-tokyo-20135-kelihos.html'>AVTOKYO 2013.5 - Threats of Kelihos, CookieBomb, RedKit's and its Bad Actor</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/12/short-talk-in-botconf-2013-kelihos.html'>BOTCONF 2013 - Kelihos: Botnet, Takedown, Mule Actor</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/02/cve-2013-0634-this-ladyboyle-is-not.html'>CVE-2013-0634 This "Lady" Boyle is not a nice Lady at all</a></li>
<li><a href='https://blog.0day.jp/p/english-report-of-fhappi-freehosting.html'>APT-10 - FreeHosting APT w/PowerSploit Poison Ivy (FHAPPI) campaign aims Hongkong & Mongolia</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html'>APT-32 - The Vietnam Journalist Spy Campaign </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/08/what-is-bad-stays-bad-legalized-any.html'>Targeted attack of "Operation Torpedo"</a></li>
<li><a href='https://old.reddit.com/r/LinuxMalware/comments/5d0jx4/malwaremustdie_closed_blog_usa_access_as_protest/'>Protest against usage of NSA malware spytool PITCHIMPAIR & INNOVATION on friendly countries</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/11/china-elf-botnet-malware-infection.html'>China/PRC origin Linux botnet's malware infection and its distribution scheme unleashed</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/06/full-disclosure-of-309-botbotnet-source.html'>Full disclosure of 309 Bots/Botnet Source Codes Found via Germany Torrent </a></li>
<li><a href='https://blog.malwaremustdie.org/2013/03/the-evil-came-back-darkleechs-apache.html'>The Evil Came Back: Linux/Darkleech's Apache Malware Module</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/ddoser-as-service-camouflation-of-legit.html'>DDoS in a Bruter Service - A camouflage of Stresser/Booter</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/10/how-far-phpc99shell-malware-can-go-from.html'>How EVIL the PHP/C99Shell can be? From SQL Dumper, Hacktools, to Trojan Distributor Future? </a></li>
<li><a href='https://blog.malwaremustdie.org/2014/06/a-journey-to-abused-ftp-sites-story-of.html'>A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/05/a-journey-to-ftp-abused-sites-story-of.html'>A journey to abused FTP sites (story of: Shells, Malware, Bots, DDoS & Spam) - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/02/how-public-services-like-amazon-aws.html'>Case Study: How legitimate internet services like Amazon AWS, DropBox, Google Project/Code & ShortURL got abused to infect malware</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html'>Just another story of UNIX Trojan Tsunami/Kaiten.c (IRC/Bot) w/ Flooder, Backdoor at a hacked xBSD case</a></li>
<li><a href='https://blog.malwaremustdie.org/p/mon-mar-24-104232-jst-2014.html'>Discontinuation of "Malware Crusader" public forum</a></li>
<li><a href='https://blog.malwaremustdie.org/p/hall-of-shame.html'>Hall of Shame</a></li>
<li><a href='https://blog.malwaremustdie.org/p/malwaremustdie-blog-archive.html'>more..</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget LinkList' data-version='1' id='LinkList4'>
<h2>Non-indexed (older) Analysis</h2>
<div class='widget-content'>
<ul>
<li><a href='https://blog.malwaremustdie.org/2013/11/a-step-by-step-decoding-guide-for.html'>Decoding Guide for CookieBomb's (as Front-end) Latest Threat, with Evil ESD.PHP Redirection (as the Back-end)</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/a-note-of-modification-of-obfuscation.html'>Some Decoding note(s) on modified #CookieBomb attack's obfuscated injection code</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/07/what-is-behind-cookiebomb-attack-by.html'>What is behind #CookieBomb attack? (by @malm0u53)</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-new.html'>..And another "detonating" method of CookieBomb 2.0 - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2014/01/and-another-detonating-method-of-todays.html'>..And another "detonating" method of CookieBomb 2.0 - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/10/fuzzy-in-manual-cracking-of.html'>New PseudoRandom (JS/runforestrun?xxx=)</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/12/jsrunforrestrun-infector-comeback-full.html'>JS/RunForrestRun Infection ComeBack</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/04/cnc-analysis-of-citadel-trojan-bot.html'>CNC analysis of Citadel Trojan Bot-Agent - Part 2</a></li>
<li><a href='https://blog.malwaremustdie.org/2013/04/wireshark-analysis-of-citadel-trojan.html'>CNC analysis of Citadel Trojan Bot-Agent - Part 1</a></li>
<li><a href='https://blog.malwaremustdie.org/2012/09/cracking-of-strong-encrypted-phpirc-bot.html'>Cracking of Strong Encrypted PHP / IRC Bot (PBOT) </a></li>
<li><a href='https://blog.malwaremustdie.org/p/malwaremustdie-blog-archive.html'>more..</a></li>
</ul>
<div class='clear'></div>
</div>
</div><div class='widget Feed' data-version='1' id='Feed2'>
<h2>
</h2>
<div class='widget-content' id='Feed2_feedItemListDisplay'>
<span style='filter: alpha(25); opacity: 0.25;'>
<a href='https://blog.0day.jp/feeds/posts/default?alt=rss'>Loading...</a>
</span>
</div>
<div class='clear'></div>
</div><div class='widget Subscribe' data-version='1' id='Subscribe1'>
<div style='white-space:nowrap'>
<h2 class='title'>Subscribe To</h2>
<div class='widget-content'>
<div class='subscribe-wrapper subscribe-type-POST'>
<div class='subscribe expanded subscribe-type-POST' id='SW_READER_LIST_Subscribe1POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://blog.malwaremustdie.org/feeds/posts/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div class='subscribe-wrapper subscribe-type-PER_POST'>
<div class='subscribe expanded subscribe-type-PER_POST' id='SW_READER_LIST_Subscribe1PER_POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2F8926320833546683754%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fblog.malwaremustdie.org%2Ffeeds%2F8926320833546683754%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://blog.malwaremustdie.org/feeds/8926320833546683754/comments/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1PER_POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div style='clear:both'></div>
</div>
</div>
<div class='clear'></div>
</div><div class='widget HTML' data-version='1' id='HTML4'>
<div class='widget-content'>
<img src="https://lh5.googleusercontent.com/proxy/7a-Sy6taVMPz5qCfJcwarW7nnRlF-fwSjHuPpm4G-slGou22nrtKfHm7RVsFcKWJHqHb9Q_sMZs-ERk=s0-d" width="0" height="0" border="0">
<!--
&#9769;act free from sins,
&#9769;speak the truth,
&#9769;be just,
&#9769;be brave,
&#9769;have faith,
&#9769;help, support, teach the weaks ,
&#9769;non nobis domine sed nomine tuo da gloriam.
-->
</div>
<div class='clear'></div>
</div></div>
</aside>
</div>
</div>
</div>
<div style='clear: both'></div>
<!-- columns -->
</div>
<!-- main -->
</div>
</div>
<div class='main-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<footer>
<div class='footer-outer'>
<div class='footer-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left footer-fauxborder-left'>
<div class='fauxborder-right footer-fauxborder-right'></div>
<div class='region-inner footer-inner'>
<div class='foot no-items section' id='footer-1'></div>
<table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'>
<tbody>
<tr>
<td class='first columns-cell'>
<div class='foot no-items section' id='footer-2-1'></div>
</td>
<td class='columns-cell'>
<div class='foot no-items section' id='footer-2-2'></div>
</td>
</tr>
</tbody>
</table>
<!-- outside of the include in order to lock Attribution widget -->
<div class='foot section' id='footer-3'><div class='widget Attribution' data-version='1' id='Attribution1'>
<div class='widget-content' style='text-align: center;'>
(c)MalwareMustDie, 2012-2021. Read LEGAL DISCLAIMER before quoting or copying our contents. Powered by <a href='https://www.blogger.com' target='_blank'>Blogger</a>.
</div>
<div class='clear'></div>
</div></div>
</div>
</div>
<div class='footer-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</footer>
<!-- content -->
</div>
</div>
<div class='content-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<script type='text/javascript'>
    window.setTimeout(function() {
        document.body.className = document.body.className.replace('loading', '');
      }, 10);
  </script>
<script type='text/javascript'>
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
      ga('create', 'UA-180537376-1', 'auto', 'blogger');
      ga('blogger.send', 'pageview');
    </script>
<!--It is your responsibility to notify your visitors about cookies used and data collected on your blog. Blogger makes a standard notification available for you to use on your blog, and you can customise it or replace it with your own notice. See http://www.blogger.com/go/cookiechoices for more details.-->
<script defer='' src='/js/cookienotice.js'></script>
<script>
    document.addEventListener('DOMContentLoaded', function(event) {
      window.cookieChoices && cookieChoices.showCookieConsentBar && cookieChoices.showCookieConsentBar(
          (window.cookieOptions && cookieOptions.msg) || 'This site uses cookies from Google to deliver its services and to analyse traffic. Your IP address and user agent are shared with Google, together with performance and security metrics, to ensure quality of service, generate usage statistics and to detect and address abuse.',
          (window.cookieOptions && cookieOptions.close) || 'Ok',
          (window.cookieOptions && cookieOptions.learn) || 'Learn more',
          (window.cookieOptions && cookieOptions.link) || 'https://www.blogger.com/go/blogspot-cookies');
    });
  </script>

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1434883710-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY7tnSRFot0IHdeZtd3Rx6vrmZb3Fg:1640306046055';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d8268358095554400245','//blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html','8268358095554400245');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '8268358095554400245', 'title': 'Malware Must Die!', 'url': 'https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html', 'canonicalUrl': 'https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html', 'homepageUrl': 'https://blog.malwaremustdie.org/', 'searchUrl': 'https://blog.malwaremustdie.org/search', 'canonicalHomepageUrl': 'https://blog.malwaremustdie.org/', 'blogspotFaviconUrl': 'https://blog.malwaremustdie.org/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': true, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'UA-180537376-1', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Malware Must Die! - RSS\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/8268358095554400245/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Malware Must Die! - Atom\x22 href\x3d\x22https://blog.malwaremustdie.org/feeds/8926320833546683754/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'ieCssRetrofitLinks': '\x3c!--[if IE]\x3e\x3cscript type\x3d\x22text/javascript\x22 src\x3d\x22https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js\x22\x3e\x3c/script\x3e\n\x3c![endif]--\x3e', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/20752fd4df382411', 'plusOneApiSrc': 'https://apis.google.com/js/plusone.js', 'disableGComments': true, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '8926320833546683754', 'postImageThumbnailUrl': 'https://lh3.googleusercontent.com/l5qLHC02vbwPebZeO5-NS8TFOTzgKnNY_ToqOI31ZmAPA83Axy92b4rTvHJGXhgcU8EMKtgYjnvXXXdE1XJeF-CuIW57dgD-zwN4MdXdI3-3k2-9SjYymNfU8y6QtzFMQMfm2HI_3iA\x3ds72-w580-c-h695-no', 'postImageUrl': 'https://lh3.googleusercontent.com/l5qLHC02vbwPebZeO5-NS8TFOTzgKnNY_ToqOI31ZmAPA83Axy92b4rTvHJGXhgcU8EMKtgYjnvXXXdE1XJeF-CuIW57dgD-zwN4MdXdI3-3k2-9SjYymNfU8y6QtzFMQMfm2HI_3iA\x3dw580-h695-no', 'pageName': 'MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat', 'pageTitle': 'Malware Must Die!: MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat', 'metaDescription': 'Mirai FBOT re-emerging botnet Linux malware, aims Linux basis IoT devices for DDoS attacks and malicious traffic distribution'}}, {'name': 'features', 'data': {'sharing_get_link_dialog': 'true', 'sharing_native': 'false'}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'MMD-0066-2020 - Linux/Mirai-Fbot - A re-emerged IoT threat', 'description': 'Mirai FBOT re-emerging botnet Linux malware, aims Linux basis IoT devices for DDoS attacks and malicious traffic distribution', 'featuredImage': 'https://lh3.googleusercontent.com/l5qLHC02vbwPebZeO5-NS8TFOTzgKnNY_ToqOI31ZmAPA83Axy92b4rTvHJGXhgcU8EMKtgYjnvXXXdE1XJeF-CuIW57dgD-zwN4MdXdI3-3k2-9SjYymNfU8y6QtzFMQMfm2HI_3iA\x3dw580-h695-no', 'url': 'https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 8926320833546683754}}]);
_WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/1619306617-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/4076883957-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML1', 'sidebar-right-1', document.getElementById('HTML1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogSearchView', new _WidgetInfo('BlogSearch1', 'sidebar-right-1', document.getElementById('BlogSearch1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList1', 'sidebar-right-1', document.getElementById('LinkList1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeaturedPostView', new _WidgetInfo('FeaturedPost1', 'sidebar-right-1', document.getElementById('FeaturedPost1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList2', 'sidebar-right-1', document.getElementById('LinkList2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList3', 'sidebar-right-1', document.getElementById('LinkList3'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList4', 'sidebar-right-1', document.getElementById('LinkList4'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_FeedView', new _WidgetInfo('Feed2', 'sidebar-right-1', document.getElementById('Feed2'), {'title': '', 'showItemDate': true, 'showItemAuthor': false, 'feedUrl': 'https://blog.0day.jp/feeds/posts/default?alt\x3drss', 'numItemsShow': 5, 'loadingMsg': 'Loading...', 'openLinksInNewWindow': false, 'useFeedWidgetServ': 'true'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_SubscribeView', new _WidgetInfo('Subscribe1', 'sidebar-right-1', document.getElementById('Subscribe1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML4', 'sidebar-right-1', document.getElementById('HTML4'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_AttributionView', new _WidgetInfo('Attribution1', 'footer-3', document.getElementById('Attribution1'), {}, 'displayModeFull'));
</script>
</body>
</html>